After being hit with ransomware attack that shut down its IT systems, Erie County Medical Center declined to pay attackers the $30,000 to unlock its system.
Instead, the Western New York facility has spent nearly $10 million rebuilding its systems, according to The Buffalo News, and those costs are expected to keep growing as much as $400,000 per month.
ECMC was forced to return to pen-and-paper charting after the April attack shut down access to its computer systems. The hospital maintained operations by following its power outage emergency preparedness plans. CEO Thomas Quatroche said the attack was “a call to action to view cybersecurity the way we do law enforcement.”
But ECMC won’t bear the brunt of those costs thanks to a decision in November to increase the medical center’s insurance coverage from $2 million to $10 million. Quatroche told the newspaper he expects to recoup most of the costs associated with rebuilding the network through that policy and feels confident the medical center will end up with a $1 million to $2 million budget surplus at the end of the year.
“We will have increased expenses around IT,” he said. “Those costs will be a trade-off as we look at other equipment at the hospital. We feel we can we find savings in non-patient areas.”
ECMC isn’t the only system to opt for a total rebuild over paying a ransom. Princeton Community Hospital in West Virginia opted to replace its system after being hit by the Petya attack in June.
Although law enforcement agencies recommend against paying the ransom, experts say most organizations end up forking over the money given the real-world complexities of running a hospital. Still, they warn that paying the ransom could actually open up the organization to future attacks.