As hospitals and health systems battle the growing threat of ransomware, CEOs are coming face-to-face with an increasingly tricky decision about whether to pay the ransom.
Each option is accompanied with its own baggage, former FBI agents and cybersecurity analysts told FierceHealthcare in exclusive interviews, which leaves health systems victimized by ransomware attacks facing a web of complexities and few desirable outcomes. Pay the ransom, and hospitals open themselves up to future attacks and help fund criminal enterprises or potentially feed money into overseas terrorist organizations. Refuse to pay, and the hospital loses access to vital IT systems that could compromise patient lives.
In a complex healthcare environment where patient care hangs in the balance, there are few easy answers. The decision a hospital makes depends on several factors, including which data or systems were compromised and how much hackers demand in ransom.
Christopher Tarbell (pictured left), director of cybersecurity and investigations at Berkeley Research Group and a former special agent with the FBI, told FierceHealthcare he sees both sides of it. Some companies he works with take a hard-line stance against paying a ransom knowing it provides funding for malicious actors, and they’ll “burn the house down” to avoid making that payment.
“Then we deal with clients on the other end who don’t know how to purchase Bitcoins,” he said.
Two attacks, two different approaches
There is virtually no industry consensus on the issue of ransomware, primarily because the circumstances surrounding each attack can vary widely. Although the FBI does not support paying ransoms, the agency says it “recognizes executives, when faced with inoperability issues, will evaluate all options to protect their shareholders, employees, and customers.” That position has softened in recent years, according to Tarbell, given the real-world complexities associated with ransomware attacks.
Past attacks have shown just how much hospitals can differ in this approach. Last year, Hollywood Presbyterian Medical Center forked over $17,000 to unlock its data from hackers. CEO Allen Stefanek said it was the “quickest and most efficient way to restore our systems and administrative functions.”
That’s a widely held view within the industry. Bill Fox, vice president of healthcare and life sciences at MarkLogic and former deputy chief of economic and cybercrime at the Philadelphia District Attorney’s Office, told FierceHealthcare the precarious nature of healthcare leaves hospitals with little leverage.
“To me, the term ransomware as it applies to healthcare is really accurate,” he said. “They really are holding someone’s life in the balance.”
Robert Anderson Jr. (pictured right), managing director in the global legal technical solutions practice at Navigant and a former national security executive at the FBI who specialized in cybersecurity, works with 500 to 600 companies each year that are hit with ransomware attacks, including “a significant number” of healthcare clients. He estimates that 90% of those companies pay the ransom.
“A lot of it has nothing to do with whether they want to pay the ransom or not,” he said. “It comes down to simple business survival.”
Emory Healthcare in Georgia took a much different approach after it was hit with an attack earlier this year in which hackers deleted information from a patient appointment database and demanded payment. In an email to FierceHealthcare, a hospital spokesperson said the system opted not to pay the ransom because the organization “had a back-up copy of the data that had been accessed by an unauthorized user” and because the database “contained limited information” such as patient names, dates of birth and contact information, but no Social Security numbers or medical information.
Earlier this month, Erie County Medical Center in Buffalo, New York, went back to paper records after a cyberattack brought down its IT system. The hospital has been slowly bringing itself back online but declined to say whether it was the victim of a ransomware attack.
The size of the ransom is often a mitigating factor. Ransoms range from $500 to $22 million depending on the size of the company, Tarbell said. For smaller organizations, paying the ransom is quicker and easier than buying new equipment or hiring a consultant. For companies that don’t want to pay, encrypted data can take years to crack.
Making a payment won’t stop future threats
Paying off attackers doesn’t mean the issue is resolved—in fact, an organization’s willingness to pay makes it a target for subsequent attacks. And just because the data is returned doesn’t mean it’s clean. Anderson said he recently consulted with two healthcare systems that declined to do a forensic analysis of their data after they paid to have it returned. Several months later both hospitals had been attacked by a virus planted by the hackers.
“I dealt with bad guys for 30 years,” Anderson says. “I know how they think. If they can burglarize your house and come back five more times without getting caught they are going to do it.”
Tarbell, who helped bring down the architect of the billion-dollar illicit online marketplace known as “Silk Road,” has a similar perspective, noting that more serious threats are sitting at the doorstep of the medical device industry.
“I would like to live in a world where I didn’t see the darker side of people and think you can make a pacemaker I can monitor on my phone or my watch and people aren’t going to exploit that or use that to hold me hostage and control my heartbeat,” he said. “But we’re right around the corner.”
Experts say hospitals need to prevent hackers from compromising data in the first place. Backing up data, segmenting systems and making incremental network upgrades can help ensure hospitals aren’t in the position of deciding whether to make a payment.
But the ability to quickly respond to a cyberattack is perhaps more important. One way hospitals can prepare: Open up lines of communication between the chief information security officer and the board. Although portions of the healthcare industry are beginning to streamline those reporting channels, Anderson said even the 2014 attack on Sony took less than 10 minutes.
“You’ve got a breach that starts overseas and completely shuts down and cripples a company in the United States in under 10 minutes,” he said. “It’s not that you’re going to stop that breach, but you need the ability to get to your boss and get to the board quickly and start your remediation plan.”