Should Hospitals Pay Off Cyber Terrorists?
What to Do After a Ransomware Attack
2020 and 2021 created a veritable gauntlet of misfortune for hospitals — overworked staff in overcrowded facilities working desperately to contain a highly contagious virus. Other viruses crept in, too: Ransomware infiltrated hospital networks across the U.S. in record numbers, profiting from internal chaos and adding havoc to already overtaxed systems. Even worse, cybercriminals show no signs of slowing down in 2022.
Operating at a Loss
Hospitals aren’t known for having robust cybersecurity defenses. They typically don’t have the budget, personnel, or bandwidth for modern security systems. But their internal systems are crucial to providing care: In a perfect world, they should experience 100% uptime — no system errors, no downtime — and be impenetrable. The risks are hard to overstate: Attackers with network access have the power to block access to vital patient data, disable life-saving alerts, trigger false alarms, halt procedures, and cause any number of otherwise avoidable disasters. Even a small network downtime is a crushing weight on already overburdened hospital staff.
Ransom. To Pay or Not to Pay?
When it comes to the question of meeting the demands of ransomware, conventional wisdom lands on the side of “hard no” (Read more: Call the Feds! What Bank CISOs Need to Do After a Data Breach). Often, the argument is a variation of, “We shouldn’t negotiate with terrorists!” Most authorities, including the FBI, advise against paying a ransom. There is no guarantee that an attacker will keep their end of the bargain and return stolen data or give back system access. Some groups are also known to extort their victims for double or triple payments. But for hospitals, the stakes are undeniably higher than they are with a financial institution. Losing a client’s bank account credentials is one thing — losing a patient is another.
In the fall of 2020, malware on an employee’s computer at the University of Vermont Medical Center (UVMC) led to a full-on cyber attack. The attackers included a file with information on how to contact them (a step UVMC opted not to take, assuming that further contact would only result in a ransom demand) in exchange for the tool to decrypt their infected files. The incident was estimated to have cost UVMC $50 million, mostly in lost revenue, and IT staff worked around the clock for a month to scrub their network systems. And this was a non-threatening attack, which only interfered with health records and payroll. Would it have been worthwhile to pay the ransom? Considering what’s at stake, what can a hospital do?
The Price of Paying
Over the last decade, some hospitals have opted to pay ransoms at an average of $131,000 in 2021. Obviously, this is much lower than the $50 million UVMC lost, but paying “reasonable” ransoms has led to another cost altogether: Now groups like FIN12 are attacking healthcare institutions more often, taking advantage of outdated security systems and threatening patients’ lives.
Though it may seem less costly and time-consuming on paper, giving in to an attacker’s demands is usually not the best method for dealing with ransomware. Authorities may advise a hospital to pay the ransom initially to spare patients at risk, but such a decision is not taken lightly and should not be made without guidance.
Ransomware Has Attacked Your Hospital. What Should You Do Next?
Step 1: Get help, fast, from an expert. Do not immediately pay the ransom or trust the cybercriminals.
Step 2: Isolate devices from the network, secure backups, and identify the source and goals of the attack to contain and minimize affected data.
Step 3: Report the attack to the FBI, state and local law enforcement, the Secret Service’s Electronic Crimes Task Force, the Internet Complaint Center, and the Federal Trade Commission. If your institution has cyber liability insurance, contact your insurance carrier.
Step 4: Though authorities may advise a hospital to pay the ransom to save a patient’s life, giving in to a cybercriminal’s demands does not guarantee decryption. Moreover, an attack’s success can lead to more incidents in the future. Follow your organization’s incident response plan — and weigh your options.
Be Proactive: Prepare For Future Attacks.
Always make backups of important documents, keep them off the network, and test your processes for restoring backups.
Assign staff to a cybersecurity response team.
Create and update an incident plan detailing what signs to watch for and how to react.