AHLA's Speaking of Health Law
The American Health Law Association (AHLA) is the largest nonprofit, nonpartisan educational organization devoted to legal issues in the health care field with nearly 14,000 members. As part of its educational mission, AHLA's Speaking of Health Law podcasts offer thoughtful analysis and insightful commentary on the legal and policy issues affecting the health care system. AHLA is committed to ensuring equitable access to our educational content. We are continually improving the user experience for everyone and applying the relevant accessibility standards. If you experience accessibility issues, please contact accessibility@americanhealthlaw.org.
AHLA's Speaking of Health Law
Preparing for and Responding to Ransomware Attacks in the Health Care Sector
As ransomware attacks grow more sophisticated, health care organizations face not just massive data privacy risks, but real-time threats to operations, patient safety, and regulatory compliance. Dave Bailey, Vice President of Security Services, Clearwater, speaks with Kirk Nahra, Partner, Wilmer Hale, and Paul Schmeltzer, Member, Clark Hill, about how ransomware impacts everything from hospital workflows to enforcement actions, and what health care organizations can do to prepare and respond to the threat. Kirk and Paul spoke about this topic at AHLA’s 2025 Advising Providers: Legal Strategies for AMCs, Physicians, and Hospitals conference in Austin, TX. Sponsored by Clearwater.
AHLA's Health Law Daily Podcast Is Here!
AHLA's popular Health Law Daily email newsletter is now a daily podcast, exclusively for AHLA Premium members. Get all your health law news from the major media outlets on this new podcast! To subscribe and add this private podcast feed to your podcast app, go to americanhealthlaw.org/dailypodcast.
Support for AHLA comes from Clearwater. As the healthcare industry's largest pure-play provider of cybersecurity and compliance solutions, Clearwater helps organizations across the healthcare ecosystem move to a more secure, compliant, and resilient state so they can achieve their mission. The company provides a deep pool of experts across a broad range of cybersecurity, privacy, and compliance domains, purpose-built software that enables efficient identification and management of cybersecurity and compliance risks. and a tech-enabled 24-7-365 security operations center with managed threat detection and response capabilities. For more information, visit clearwatersecurity.com.
SPEAKER_01:Good day. This is Dave Bailey, Vice President of Security Services at Clearwater. As ransomware attacks grow more sophisticated, healthcare organizations are facing not just massive data privacy risk, but real-time threats to operations, patient safety and regulatory compliance. The fallout is no longer just about data. It's about delayed treatments, system shutdowns and legal consequences with impacts that can linger for years. In this episode, of AHLA's Speaking of Health Law podcast, we'll explore how ransomware impacts everything from hospital workflows to enforcement actions, and most importantly, what can be done about it. Joining me for this discussion are Kurt Nara, a partner with the law firm WilmerHale and co-chair of the firm Cybersecurity and Privacy Practice, and Paul Schmelzer, a member with the law firm Clark Hill, who counsels healthcare clients on cybersecurity and privacy incidents. Kurt and Paul present on this topic at AHLA's Advising Providers Conference earlier this year, and I'm excited to dive deeper on the topic of ransomware with them today. Gentlemen, it's great to speak with you. Let's jump in. How have we seen ransomware attacks disrupting day-to-day healthcare operations beyond data access issues?
SPEAKER_02:Well, Dave, the operational impacts from a ransomware attack go beyond just access to the data itself. A few years ago, for example, I had a client that was the victim of a ransomware attack, very specific servers that the threat actors hit. When my client failed to acknowledge that there was ransomware demand and follow up with a threat actor on the dark web to negotiate with them, this threat actor, for example, started calling my client's healthcare operations nonstop, almost to the point where it just shut down their operations or their ability to conduct business via telephone. So that's an example of where a threat actor, if they don't get the proper response they're looking for, can really disrupt the daily operations. But beyond that, the threats from a ransomware attack are much more... severe and can be much more than just the data access issue. For example, if the threat actors hit specific servers or specific medical devices within the facility, for example, infusion pumps or smart beds, then operationally, the practice has to scramble to figure out how they're going to deliver treatment to patients without those medical devices, for example. It could also be issues such as the inability to conduct operations and sending patients to another facility nearby if, for example, their EHR is down. And rebuilding it or buying new servers is going to take some time. And so these things aren't instant. And so the operational impact when you have a ransomware attack like this goes just beyond the data access.
SPEAKER_01:Yeah, I echo those comments and would say we're into the disruptive nature of ransomware. And obviously we're about a year out from change healthcare. And I think we all saw what the potential impacts are when a major service that is required for a business to do operations is not available due to that ransomware attack. So, you know, once again, it's not just about the data recovery, but how is an organization, you know, how can they become resilient and be able to continue their business operations once this type of destructive attack happens?
SPEAKER_02:I would just add to that point that, you know, these these tax are becoming more and more sophisticated. And the whole design here is to disrupt operations to the point where they compel the victim to pay a ransom. So whatever they can do, whatever leverage they can have on the organization and how they can disrupt Operation State, that's what they're going to do to to try to get a payment out of the victim.
SPEAKER_01:How are regulators like OCR, FTC, state attorney generals responding to ransomware incidents in health care?
SPEAKER_03:Well, it's a tricky, it's a tricky issue for them. I mean, they are, you know, for the most part, particularly, you know, OCR, which is a privacy specific, privacy and data security specific organization. They don't necessarily have some of the patient care requirements. ideas in their mind it's not really part of their authority and so what we're seeing is we're seeing regulators get interested in these events early on you know again often you learn about them because particularly if there's a major shutdown of a healthcare institution the regulators will know about that before there's been any kind of breach reporting. You know, the breach reporting is usually how they learn about it. So they know about these things early on. So we're often seeing questions come in before, you know, the healthcare facilities really even know what they're doing, what they're, who they're notifying, who's affecting, I mean, all kinds of issues like that. And so one of the concerns that I have in just dealing with a lot of these issues is that regulator attention too early on can actually be meaningfully disruptive of the ability to fight back in the ransomware attack. So I'm a little bit concerned when we see regulator pressure actually create more problems for entities that are trying to recover and deal with the ransomware attacks.
SPEAKER_01:Yeah, no, that's extremely good insight. And also knowing that when something like this happens, it's really important for an organization to understand what their obligations are as far as the response to those regulators. And as we all know, we're continuing to see additional pressures, change in law, change in focus on what will be required of an organization to be able to respond to these types of events.
SPEAKER_03:Well, one other point on that is that there's often a little bit of a disconnect between the impact from a ransomware attack and the typical regulatory obligations. I mean, again, regulatory obligations typically flow towards your data was impacted. We're going to send you a letter telling you that your data was impacted in connection with this. If what happens is your record isn't available if you happen to be in the hospital that day. That's a very different look. And the laws are not particularly well calculated for that. And I can think of the first ransomware situation I was ever involved in. There was no impact on the data. The data was not taken. The systems were shut down. So it's a very different analysis. And I don't think the I don't think the laws are well targeted for that because the laws are targeted to these notice points, which are really not the major concern, at least in the first instance in most ransomware attacks.
SPEAKER_01:And how have you seen recent enforcement actions shape the way healthcare organizations need to prepare for ransomware threats?
SPEAKER_03:I mean, I guess... I don't know that I look at the enforcement actions as shaping too much in the following sense, which is, I am always of the view, and this is something I say in speeches, I say to clients all the time. I mean, companies should be doing aggressive security practices for their own selfish self-interest. It's not because, it shouldn't just be because there's a legal obligation to do that. And so, In connection with ransomware, what companies should be doing is they should be learning from the lessons that affected their peers or other people in the industry. And so whether there's ultimately an enforcement action two, three, four years down the road in connection with one of these things, Companies have to be cognizant of what a ransomware attack is and what it means. They have to be preparing for that now, again, independent of enforcement. You could look at some of the enforcement actions. There haven't actually been all that many tied to ransomware, but you can look through them in the same way that you could look at any, using OCR as an example. You can go through OCR settlements and come up with a set of security practices that OCR has found to be problematic. It's not that surprising a list, right? You need to do your risk assessment. You need to do a bunch of things like that. So you can, I mean, maybe if I need to persuade a company who's not otherwise looking to do this in the first instance, I can persuade them by saying, well, look, here's a bunch of cases that said A, B, C, D. But for the most part, I want to say, look, you know what this risk is. Let's think through how how that kind of a risk could affect your company. And let's plan for that in advance. Again, it's in your own interest to do that. It's not just a question of legal obligation. And that's particularly true for a healthcare facility who's trying to serve patients. I mean, you can't serve the patients if you can't access any of the records or the systems that allow you to treat that. And the point Paul made earlier about medical devices and things like that, That's, again, that's a huge additional piece of that. And so companies should be thinking about all of those issues, not entirely separate from enforcement, but essentially independent. Don't use the enforcement as a way to justify it. Use the need to solve these problems and address these
SPEAKER_02:problems. Dave, let me interject for a moment here. Kurt is right in what he just said, but I want to just add one thing. There's been a recent uptick in in really admittedly older investigations from 2019 through 2021 of settlements that are being announced by HHS OCR under their ransomware and risk analysis initiatives. And these are, they're relative new terms or the settlements they're putting them under, or they're calling them these, these things. And it's relatively new since end of last year, but The fact is, is that these recent enforcement actions by OCR can, and unfortunately, I deal with a lot of the clients that Kurt's talking about that don't have the security in place, the cybersecurity posture in place. They don't do regular periodic risk assessments. They need to be coaxed. They need to understand, like, here's your obligations under state law and federal law, HIPAA, et cetera. And so these OCR settlements, what they guide my clients to at least to kind of bring them to water is that they need to be conducting annual, very thorough risk analysis. And that's the biggest thing that's missing from a lot of these mid-sized to smaller practices. They don't conduct an annual risk assessment. That risk analysis is simply not there. It's not documented. And so when they're hit with a cyber attack, whether it's a ransomware attack or a business email compromise, they are unprepared. And when that resulting OCR investigation happens, they have nothing to show in terms of prior risk analysis. So if I could distill this down into one thing that these enforcement actions shape, it's just the understanding to some people in the healthcare industry that they need to conduct periodic risk analysis. And it's got to be thorough. It just can't be something where you're going through the motions. It really has to identify the risks that are unique to your organization. And so that's the one thing that my clients that I have a hard time selling to because they haven't bought into this already. They need to understand. You
SPEAKER_01:know, I echo all of that and will say that. It is very difficult in today's healthcare ecosystem to not manage to risk. Like you have to understand what your risks are. In order to do that, you have to know your adversary and understand that ransomware is real, that the adversary is specifically attacking this particular industry for financial gain. And they are very successful at it. And doing that thorough risk analysis, understanding where all your PHI is and doing that asset-based approach to understand what risks you have and what you need to address and prioritize. If you're doing that through good risk management practices, you'll be in a better place and most likely minimize the impacts to these types of attacks. With that said, certainly highlighting the practices that an organization needs to implement, I want to ask specifically about incident response. What do you think the most critical elements of ransomware-specific incident response is? How do folks need to be prepared to respond to ransomware?
SPEAKER_03:Well, happy to jump in on that one. I mean, one of the things that ransomware did as a concept is to focus attention on certain elements of incident response that, you know, in the early years of the HIPAA security rule, for example, I don't know how much attention people were really paying to things like their backups and how they were going to run an emergency situation. You know, when you were worried about a hacker just taking your data, you had certain things that you were going to prepare for on that. Ransomware has forced a shift in that thinking. It doesn't mean the other stuff isn't also important, but it means that you have to be planning for these alternative ways of doing your business. And, you know, I think that one thing many companies have found is like, oh, yeah, we have a backup system, but when you try to access it doesn't work. So I think the importance of having alternate ways of running your business, alternate paths to your data, alternate paths to your systems, and really thinking through that is the main area that I think ransomware has uniquely focused attention on and really made that a core element of overall security protection.
SPEAKER_02:Yeah, I would agree with Kurt there, Dave. You know, Having access to good backups and testing your backups periodically, it's common sense. It should be common sense, but for a lot of organizations, it's not treated that way. And so they say, yeah, we have backups, but they don't test them. And then the next thing you know, they're hit with ransomware. those backups either are not viable for whatever reason, or even the threat actor went in and corrupted those backups. So they're not viable either. So there's a lot of, you know, the threat actors, they're not stupid. They, I mean, sometimes they are, but in general, they will go in and say, what are those pressure points I can inflict on this organization? And if it involves a preemptive strike on the backups and then going in and, you know, infecting the network and making it so that both the current EHR data and the backup data are unusable, that's an extra layer of stress on that organization. And that's going to bring them to the bargaining table with the threat actor, which is what they want in the first place. And
SPEAKER_03:I think the other practice that I would really encourage is the use of good, thoughtful tabletop exercises. I mean, I think people have, you know, the the companies who are more thoughtful about these practices tend to go through the exercise of tabletops. The companies, you know, some of the smaller, medium-sized companies that Paul was alluding to earlier who aren't focused on this probably aren't doing a tabletop either, but really thinking through all of these issues to try to come up with a good creative scenario and really get the right, you know, the right people involved. And it's not, you know, it's not a small group a lot of times. I mean, that's one of the other striking things about so many of these incidents is how you know, broadly, these things are felt across a company. And you really want to make sure you're getting a good cross section of your population, not the consumer population, but I mean, your employee population involved in a good, thoughtful tabletop exercise. Because those exercises, I'm not going to say it's 100% of the time, but Boy, a really large percentage of them, people are, oh, yeah, we didn't think about that, or we missed that we needed to include that, or we, you know, this new acquisition we had didn't get brought into the risk assessment, or we opened a new office that operates a different way, and we didn't factor that in. So I think that those are, again, a really good– they're a backup to the idea about having good backups, but they're a strategic backup on that to really run a good tabletop exercise.
SPEAKER_01:Yeah, no, I– echo all of that and will say, I think some of the critical elements for ransomware It's extremely important for organizations to understand what's important from a business perspective, having that good business impact analysis, because a good incident response plan should align to that business impact analysis to make sure that they have the ability to quickly respond, certainly from how to deal with a disruption. And I think that is key. The other The other thing that I always try to help with our clients is don't wait until the ransomware event to figure out who you need to talk to and make sure that all of those key stakeholders, not only your partners, but law enforcement, anybody that you feel would be involved if you had a ransomware incident, that you foster a relationship with that entity, that organization. Because if you don't have one, speed is extremely important in response and trying to to figure out who you need to talk to during a response can be very challenging. And I think one of the visuals that I always had with tabletops is, If you ask someone, hey, do you have an incident response plan? And they say, sure, we do. And they take off the shelf. And once again, this is visual, that shiny brand new binder that looks brand new. And they say, here's the incident response plan versus the person that takes off the ratty binder that has all the pages stuck in with the notes and the tabs and everything in it. I would say that probably the ratty binder, that organization is better well prepared because it means that they're practicing and that they're constantly going over the necessary things. Because once again, this threat is real. This is not a threat that, you know, may happen in healthcare, as we can see just by the number of threat actors alone that are targeting healthcare. You know, you can look at all the statistics right now and go out and see how many of these threat actors are actually attacking US healthcare industry. And there's multiple, it's not just a small group of people there. There are many cyber criminals that are, you know, trying to exploit this. So I certainly echo.
SPEAKER_02:Yeah. Let me add some to that, Dave. I would just add that as someone who does a lot of tabletops for clients, I'll say that... probably one out of every three or one out of every five clients that comes to me says, oh, I have an instant response plan, but it's not finished yet. And they'll send me over what they have. And it is basically an instant response plan. And I go, well, what's not finished about this? Oh, well, we need to do this or that. We got to add this. And I'm like, look, instant response plan. When we go through the tabletop exercise, you're going to come back after that exercise and make modifications to it. You're going to add to it. You're This is a living, breathing document. Like you said, the rattier binder on the shelf, that's the one that's been pulled out and used more. That's the one I'm looking for. A lot of my clients, they've got these new, neat binders. They haven't even broken, they haven't even put it in a binder if you want to use the imagery there. because they're worried that it's not complete. It's never going to really be complete, especially pre-tabletop, their first ever tabletop exercise. And that's one of the purposes of these tabletop exercises, to go in and really test your instant response plan. It's not set in stone. It's going to be modified after. We're going to learn lessons through the exercise. It's going to get you know, additional revisions to it. And that's the thing. A lot of my clients are like really hesitant to share this document. I'm like, look, we need to see what it looks like now because what it's going to turn out looking like post tabletop exercise is going to be something that's going to be much more useful to your organization.
SPEAKER_03:Well, just to add to that, I think it's, I mean, that's a good way to think about it. It's not that, you know, a tabletop that identifies additional things to pay attention to is not a you know, a low grade on your incident response plan. It's exactly the kind of lesson you should be learning. And so I think that point about perfection is absolutely right on. I mean, again, I wouldn't do a tabletop before you've even thought about what your incident response plan is. But if you have, you know, if you have a document that's like, okay, here's, we've taken a shot at it, let's figure out how to make it work. I think it's really, the tabletops are really good learning exercises to make sure that that incident response plan hits all the right things. And Dave, I want to go back to one other thing you mentioned a couple of minutes ago that's just really important is the law enforcement connection on this, which is the relationship between industry and law enforcement in the data security world has not always been a smooth relationship. And I'm not going to say it's always smooth now, but I will say that the attention that law enforcement gives to these ransomware attacks is quite substantial, and they are often very helpful. I mean, they're not going to give you everything they've got in their investigation. But I mean, they can be very helpful. They can give useful information. They are often investigating the same kind of folks. There's, I mean, I agree that there are lots of them, but there are certainly repeat players. There are people who try to build a reputation in this area for good or bad. Law enforcement often can convey, you know, what they know about a particular threat actor. And so I do think that having those relationships, at least knowing, you know, knowing who it's going to be and who you're going to reach out to and You're going to think about if you're a hospital system that has facilities in 10 different states, is there somebody that you're focusing your attention on? It's probably hard to get 10 different relationships going. So I do think that that law enforcement component should be a critical part of not just ransomware, it's overall information security, but I think it's particularly useful in the ransomware context because the law enforcement people are more likely to have some useful information that they are often willing to share to some extent.
SPEAKER_01:Yeah, no, excellent point on that. And we'll just say and remind everyone that Ransomware is the end of the attack chain, which usually means that there's lots of things that have occurred up until that particular point and the assumptions that the threat actor has your data. And you may be at a point where you're noticing the disruptions due to all the data encryption. The days of ransomware... being kept or swept under the rug are over. Not that people should be doing that, but usually if ransomware has occurred, it means that there's a threat actor that's already talking about it and is reaching out to you from an extortion standpoint. They may already be going public with that. You would have to assume that the news media and law enforcement are going to know, and I would just echo and tell everyone, at least have the relationship. It's still going to be up to the organization and their ultimate decision to involve who they feel they need to involve in the incident response. But it's really good to have the relationship there with that. All right, question for the both of you. If you had a client right now today that contacted you and said, hey, we're having a ransomware attack right now, what recommendations do you have for them and how they should go about navigating that ransomware incident?
SPEAKER_02:Kurt, you want to start this one off?
SPEAKER_03:Sure. Well, look, I think the most important thing to be thinking about right away is what you think is impacted. Now, lots of these incidents have sort of a, you know, I'm sure there's a military analogy, but like sort of a false front and then you move, you know, but because, and this goes back to what Paul started off with in the discussion, I mean, because there are so many operational issues connected with that, you're really trying to triage that operational support. You want to figure out where they are. You want to get You want to get your IT people or a forensic firm, if you're working with them, you want to get them involved quickly to make sure that you can try to limit the access that they have. I mean, there certainly have been a number of recent situations where quick action has not eliminated the threat, but it has prevented the spread of the threat. And I guess that one thing that just also flags, you mentioned law enforcement a few minutes ago, having relationships. I also want to make sure that your company has a relationship with a forensic firm upfront who can be, you know, usually we try to have, you know, a privileged engagement letter that we can sort of leverage quickly. So, you know, waste 24 hours or 48 hours figuring out who that is and getting a document signed and things like that. You want to think about it. This is part of your incident response. You want to make sure that you've thought about the vendors that you need to have in place, including a law firm for that matter. You want to have those in place right up front so that just getting somebody up to speed and onboarded is not a delay factor. Because really moving quickly in a very thoughtful way, I think, is the most important step there.
SPEAKER_02:Yeah. And just to add to what Kurt just said, Dave, When, you know, in those initial minutes of a ransomware event coming in, my first question for the client is, what's the data? What do we know about the data and what's impacted here? Because that will really influence what forensic vendor I send them to if they need a forensic vendor. In a lot of cases, that's one of the first steps is let's get in outside forensics because your IT people have probably been up for a little while trying to figure out what's going on. Let's bring in some external help. But the external help that's brought in, it really depends on the value and the flavor of the data that's impacted. And we might not know this right now, but it really matters at some point to have that discussion. And hopefully it's earlier in the event and then later so that I can bring in the right forensics firms. So, for example, if I need a firm that is adept at negotiating with a threat actor on paying a ransom, you know, I'm going to go with one vendor over, say, another. There's specific, you know, priorities and preferences I have, it really depends on the nature of the attack and what data is at stake. So that's really going to influence the next step. But the next step in my head would certainly be to reach out to a third-party forensics vendor, in most cases, to assist with eradicating the threat and then rebuilding and determining what data is at stake.
SPEAKER_01:It's also important to add to that, if you don't already have an established incident response plan, to reach out to someone who can assist you in that response, not only from the first responder perspective, determining what happened, are you still under attack, but then help with the potential things like ransomware negotiation, like helping with the understanding, do you pay or not pay? Do you even have the ability to pay? Are there Bitcoin avenues for you? And you would certainly want someone with expertise that has dealt with ransomware negotiation to be able to assist you in that particular process. I think one of the biggest things that occurs in helping and prepping clients with their incident response is working with leaders in an organization that are ultimately going to have to make decisions with not a lot of information. Most leaders like to have information at their fingertips in order to make a sound decision. And at times, certainly in ransomware, the preparedness that they need to at least establish that, hey, I may not have all of the information but are going to have to make a decision that may be critical for us to you know not only survive but to but to continue with patient care or or you know continue with the the least amount of impact so i think um That's some of the biggest things I would ultimately tell someone. If it happens to you, please reach out. Please reach out to folks like Paul and Kurt and understand and get help throughout the process. I think it's extremely important.
SPEAKER_03:Well, and your point about leadership may be similar to what Paul said earlier about the perfection of the incident response plan. It doesn't need to be perfect. Move it along. Here, you're never going to have all the information exactly as you said. And so I think... building that comfort level up front. So have a company be cognizant of their general approach, be cognizant of how this would actually work in practice. I mean, some companies are going to have an absolute idea that they would never pay a ransom. Then it hits and you've got all these challenges. So I do think that it's like many of the relationships in this area. It is always going to be better if you have built it upfront, not in a crisis situation. I mean, you can cement it, you can work, you know, but the crisis management is much better when you're working with people that you're used to working with and you're comfortable working with. And that goes, you know, that goes for the internal legal, that goes for the IT security people, that goes for senior management. That's true across the board on that. Now that's not, you know, that's not always gonna happen. And we certainly, I mean, Paul and I are both involved in situations where the first time you hear from a client is they're in the middle of a ransomware attack. I mean, I'm always a little surprised by that. But you have sort of a desired way to do this, which would involve before anything happens and thinking about their plans and evaluating their security and working on all of that stuff. And then you can get brought in in other situations that's less desirable, but where there's an ongoing active incident. We also get situations where we're brought in after the incident to handle the regulatory investigations or notice questions and things like that. So you've got that sort of timeline. It's in the company's interest as much as you can to start at the earliest part of that timeline that you can.
SPEAKER_01:Well, gentlemen, it has been an absolute pleasure today. Kurt and Paul, thanks for the excellent insights that you shared. And to our audience, thanks for listening. We hope you found this episode helpful. Have a great rest of your day.
SPEAKER_03:Thank you for having us. Thank you, Dave.
SPEAKER_00:Thank you for listening. If you enjoyed this episode, be sure to subscribe to AHLA's Speaking of Health Law wherever you get your podcasts. To learn more about AHLA and the educational resources available to the health law community, visit americanhealthlaw.org.