Cyberattacks have ramped up in recent years, and there’s now a strong chance that any given health organization will, at some point, be hit with ransomware.
Should the effort succeed, organizations will find themselves with an unenviable, and sometimes controversial, decision: Should they give in to the ransomer’s demands and pay to regain access to their data or systems?
“I don’t think there’s a singular yes or no,” Michael Rogers, former director of the National Security Agency, former chief of the Central Security Service and former commander of U.S. Cyber Command, said Tuesday during a keynote panel at the 2021 Healthcare Information and Management Systems Society (HIMSS) Global Conference in Las Vegas.
“My personal and professional preference has always been not to [pay], but I do acknowledge there are some circumstances where some organizations feel that it is appropriate,” he said. “Let’s not use money, let’s not use access to data. I think it’s appropriate when we’re talking about life or death. That’s certainly a challenge within healthcare.”
While it may make sense to advocate for a blanket no-payment stance at the macro level, individual organizations facing major disruptions have almost no reason to hold out against their attackers, said Alex Stamos, founding partner of Krebs Stamos Group and the former security head of Facebook and Yahoo.
“It almost always makes logical sense to pay for all of your stakeholders—your shareholders, in this case, your patients,” he said during the keynote. “And that’s the genius of it, right? In that moment, all of the incentives are lined up and it’s probably cheaper to pay a couple million dollars because, honestly, the moment you call a DFIR company and outside counsel you’re at seven figures billing already. Paying is probably cheaper.”
Rogers noted that, legally, there are no restrictions against paying a ransom except when the attacker has been sanctioned by the U.S. Office of Foreign Assets Control (OFAC), the United Nations or other internationally recognized efforts.
Stamos called for the government to lean on this ability and designate the top 10 or 20 ransomware teams as OFAC actors, saying that doing so would give individual organizations a meaningful incentive against paying ransoms and encouraging future attacks.
“It would suck to be one of those first companies that gets hit by ransomware and then you’re told by lawyers that you might go to jail if you pay the ransom, but that’s the only way we can strike an economic balance here because the economics are just working out way too well on the attacker’s side,” he said, adding, “Obviously, there are things we’ve got to work on, but in the immediate moment that is the society-level decision we have to make: to take the short-term pain for the long-term benefits of disrupting that economic cycle.”
Karen Elazari, a cybersecurity author and researcher at Tel Aviv University, disagreed with this approach. Not all attackers are motivated by money alone, she said, and tying prevention efforts to economics doesn’t address nation-state actors and others for whom payments are secondary to sowing confusion or fear.
In lieu of a national-level response to these attacks, she and the rest of the panel’s advice to organizations was to engage and negotiate with the attacker.
“From my experience and from what I’ve seen in many different cases in Israel, Europe and the U.S., there’s a lot of times where negotiation can halve the price or bring it closer to a manageable amount,” she said. “I’m not endorsing paying ransomware, but I understand that sometimes it’s the only option.”
“It is amazing how bad ransomware people are at negotiating," Stamos said. “They’re like ‘$50 million dollars!’ They throw out a Dr. Evil number.”
Negotiations also have a slew of secondary benefits in the midst of an ongoing attack, Elazari and Rogers said. They allow an organization to stall for time and gain insight on how the attack happened or what’s motivating the ransomers—information that can eventually be leveraged during law enforcement investigations.
The panel’s other recommendations circled around setting up a game plan for when a healthcare organization is faced with this difficult decision.
Rather than settling on a concrete rule, organizations should be flexible and outline the criteria they’ll consider when caught in a ransomware situation, Rogers said. They can also secure a partner specializing in ransomware negotiations or other relevant cybersecurity crisis experience so they’re ready to respond during an incident, Elazari said.
Michael Coates, the former chief information security officer of Twitter and former head of security at Mozilla, encouraged health organizations to make the most of their breathing room both before and after a ransomware attack. Even when an attacker backs off after receiving payment, the organization has work to do if they want to head off a repeat incident.
“You’re not out of the woods. It’s not like, 'alright, I’m good to go,'” he said. “They’re probably going to come back for you in three to six months; they probably have a foothold. This is a window of time for you to invest, heavily, to figure out how they’re going to get around [your defense] and put yourself in a better position.
“So, you’re going to make the investment either way. Make it now ahead of time, or do it at triple the cost later,” he said.