Whether to pay ransom in the event of a cyberattack is not a clear decision for hospital and health system leaders, Chief Healthcare Executive reported June 29.
On one hand, the executives might be desperate to restore their IT systems to protect the health and safety of patients after a ransomware attack, while, on another, the hackers might not even return the data once ransom is paid or work for adversarial countries like Iran or North Korea, experts told the news outlet.
"No one wants to pay the ransom," John Riggi, national advisor for cybersecurity and risk for the American Hospital Association, told the website. "It's the equivalent of having a digital gun pointed at your head and at your patients. If a decision is made to pay, it is based on patient safety issues."
If the group is tied to an adversary, he added, "you may be unintentionally funding their national strategic objectives, including for North Korea, their nuclear weapons program."
While 61 percent of healthcare organizations say they've paid a ransom, according to a 2022 Sophos survey cited in the story, the White House is considering outlawing the practice.
Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society, advised against paying the ransom and recommended instead retaining cyber liability insurance, an incident response team and ransom negotiator.
"Even if you pay the ransom, it is not a guarantee that you're going to get data back and it's going to be successful," cybersecurity consultant Crane Hassold told Chief Healthcare Executive. "There have been so many examples of you know, someone paying a ransom, and then not actually receiving a decryption key, or receiving a decryption key and it just not working."