The end of January brought the most recent Office for Civil Rights (OCR) Newsletter, specifically dealing with cyber extortion after ransomware attacks.

The OCR outlines cyber extortion as involving cybercriminals demanding money to stop or delay their “malicious activities.”  The OCR also states that organizations that provide necessary services or maintain sensitive data are often targets.

Additionally, the newsletter provides information on ransomware.  Essentially, it is malware that makes it impossible to access protected health information (PHI) without the encryption key.  The key must be obtained from the hacker, and to do that the organization must provide a ransom of sorts, typically in cryptocurrency.

There is every reason to believe that paying the ransom may not result in full access to the affected PHI.  These are criminals after all.  They may provide access to some of it, but then demand more ransom for the rest.

Should a covered entity or business associate find themselves facing ransomware and the need to pay the ransom, the OCR created a fact sheet on how to respond.

Another example of cyber extortion is the Distributed Denial of Service (DDoS) attack.  A DDoS attack occurs when multiple systems flood the bandwidth or resources of a targeted system, usually one or more web servers.

An example of that was in 2014 when Boston Children’s Hospital was dealing with a controversial case regarding a teenage girl who’d been taken into state custody; doctors claimed that her ailment was largely psychological and that her parents were pushing for unnecessary treatments. Someone in the hacktivist group Anonymous viewed this as an infringement on the girl’s rights, and decided to punish the hospital with a distributed denial of service (DDoS) attack, flooding the hospital’s servers with traffic to bring them down.

Often these attacks are fewer and far between.  They are more often used on large targets and take a bit of concerted effort to get enough devices to attack one website or company’s server.

A third, more likely scenario, is when a hacker gains access to an organization’s computer system or server, steals data, and then threatens to publish the data.

An example of this type of attack has been reported in past breaches.  The DarkOverlord has hacked into many health care organization’s computer systems, retrieved PHI, and then requested the organization pay a ransom to not leak the information on the web.


Finally, the OCR provides ideas on how to prevent these types of attacks.  First and foremost, they instruct health care organizations to perform the risk assessment or analysis requirement of HIPAA compliance.  Second is training employees to better identify suspicious emails, another requirement for HIPAA compliance.  Other ways to prevent these types of attacks include using anti-malware solutions, ensuring patches are installed on systems, and limiting internal access to PHI.  Lastly, one of the most important things that an organization can do to help prevent cyber extortion is to have a full backup of all information stored in the network.  It’s a requirement for HIPAA compliance, and it will allow organizations to fully ignore the extortion attempt.