Assurance Letters Keep Hospitals That Suffer Ransomware Attacks Offline Longer

Hospitals are frequent targets of ransomware attacks. An expedient that mitigates the legal risks accompanying those attacks, so-called assurance letters keep hospitals offline longer, which potentially risks lives, as Matt Burgess reports in Wired.

It is common for companies that have software connected to a targeted organization to pull their services immediately after an attack. For hospitals, this can include disconnecting medical records, or even refusing to email the hospital that was attacked.

Burgess explains that most organizations hit by ransomware send assurance letters to connected companies to show them that it is safe to reconnect. The letters can contain up to 40 questions and include detailed requests about how events unfolded, steps taken to respond, and any evidence that may have been gathered.

The article quotes a cybersecurity specialist at a leading law firm who says the demand for assurance letters has increased as breaches have spawned third-party lawsuits. The letters are not required by law, nor are they unique to healthcare providers impacted by ransomware attacks. However, experts say that in situations where lives are at risk, more efficient processes are necessary.

Sean Fitzpatrick, the vice president of external communications at the recently-attacked hospital network Ascension, who is also quoted, says: “Negotiating with hundreds of vendors each with their own unique set of requirements to reconnect was an arduous and time-consuming process.”

A health policy expert who has researched the impact of ransomware attacks on US hospitals concluded they result in higher mortality rates, and the longer the disruption, the worse the health outcomes.

Ciaran Martin, the former head of the UK’s National Cyber Security Centre, notes that cybercrime that disrupts vital public services will almost certainly increase in frequency. That will raise questions about the need for governments to have the power to direct private firms to respond in ways that protect the public interest.