To pay or not to pay ransom: A tale of two hospitals

At least five hospitals reported ransowmare attacks in the past two months. For two of those hospitals, many of the basics of the incidents were the same — they both declared an internal state of emergency after malware locked them out of their systems. However, the resolutions at the hospitals were vastly different.

The first, and most public, incident happened at Hollywood Presbyterian Medical Center in Los Angeles, where in early February hackers shutdown the hospital network and locked physicians out of the EHR. The second occurred at Methodist Hospital in Henderson, Ky., in March, where a ransomware virus limited the use of the hospitals web-based services.  

While Hollywood Presbyterian paid a $17,000 ransom, Methodist Hospital didn't spend a dime.

The latter scenario, in which organizations do not pay anything, is actually more common, according to Mac McMillan, co-founder and CEO of healthcare security and privacy consulting firm CynergisTek. "Many of our hospitals do actually detect the ransomware when it comes in," Mr. McMillan says. "A lot are able to detect it . stop it and then physically remove it from their environment and rebuild those systems…to get back up and running."

That appears to be the case at Methodist Hospital. A hospital statement indicates the information systems department immediately shut down the hospital's electronic data system to prevent the virus from spreading and activated a back up system while the main system was down. Now, the hospital is restructuring its network. No payment needed. (Methodist Hospital did not disclose how much ransom was demanded).

This is the path to resolution Mr. McMillan says the security world prefers because when organizations pay the ransom, it encourages other bad actors to launch their own ransomware campaigns. It's an opportunistic industry.

However, Mr. McMillan acknowledges it's an easier-said-than-done situation because security professionals aren't the ones directly dealing with the event or its fallout. "If you put yourself in these organizations' positions, you're facing a downtime that is costing the business millions of dollars. You're facing a situation where you're confronted with a public event," he says. "It's unfair armchair quarterbacking to say perhaps he didn't make the right decision. At the end of the day, he may have made the only decision that makes sense."

Allen Stefanek, president and CEO of Hollywood Presbyterian, said in a statement the hospital decided to pay the ransom because it was "the quickest and most efficient way to restore our systems and administrative functions…and obtain the decryption key. In the best interest of restoring normal operations, we did this."

Aside from Mr. Stefanek's released statement, Hollywood Presbyterian has remained mum about the circumstances surrounding the cyberattack. However, Dave Kennedy, CEO and founder of information security firm TrustedSec, told CBS News the hospital likely paid the ransom because their backup system may not be strong enough to recover the data. "If they decided to pay the ransom, it probably means that they didn't have very good backups, they weren't able to recover the data, and that the data would have been lost if they didn't pay the ransom," he said.

A growing threat
These two high-profile cases are just the tip of the ransomware iceberg in healthcare, Mr. McMillan says, adding that the number of attempts is growing exponentially. One hospital client told Mr. McMillan that a month ago, they tallied approximately 3,000 suspected ransomware events in their filters a day. Now, that number has multiplied 10-fold to 30,000 a day.

Again, the majority of such attacks are caught before they can take down a hospital's network. But, the increasing number of threats remains a concern for hospitals and health systems and is likely spurred by the public success of other bad actors, like those involved with Hollywood Presbyterian, have relative success.

"The bad guys go where they need to go, and there's [been]…a fair amount of success with these most recent ransom attacks in healthcare," Mr. McMillan says. 

Money matters
While cyber attacks aren't rare in healthcare, ransomware is set apart from other types of malware because of the transactional element involved. While other players are seeking information and data (though likely to sell the information down the road for money), ransomware attacks seek the money up front.

No matter how prepared hospitals are for cyberattacks and detecting ransomware, it's nearly impossible to plan ahead monetarily or budget for this type of event. "You have no idea what the ransom is going to be," Mr. McMillan says. "Budgeting for it would be virtually impossible, other than pulling a number out of the air."

Hollywood Presbyterian's ransom was slightly higher than cases in other industries.  For example, the Tewksbury (Mass.) Police Department suffered a ransomware attack in April 2015 that encrypted arrest and incident records. After five days of trying to unlock the files, the police department paid the requested $500 ransom. A Boston Globe article reporting the attack mentioned several other police departments that were also hit with ransomware, including Midlothian (Ill.) and Dickson County, Tenn., all of whose ransom was also right around $500.

Instead of specifically budgeting for potential ransomware attacks, Mr. McMillan says such attacks are incidents organizations should be factoring into their business risk and using to determine what kind of insurance policies they may select. As for the payment, he says organizations likely turn to a fund reserved to handle unexpected expenses.

Best defenses
No organization is completely immune from a cyberattack, ransomware included, but much of a hospital's defenses lie with hospital staff. "The individual user…in many cases is at the center of this," Mr. McMillan says. "A lot of these ransomware attacks are started by somebody going to a site they shouldn't go to, downloading something from the Internet they shouldn't download, clicking on an email message and giving up credentials, or doing something they shouldn't [be] in a phishing scam."

Mr. McMillan reiterates the importance of employee training and education. He offers a three-pronged approach to eliminating human error that leads to malware attacks.

The first step lies in better and more consistent experiential-based education so computer end users can better identify and avoid these types of attacks.

Second, Mr. McMillan calls on hospital leaders to scrutinize their allowance of personal devices at work. "It's really nice to give your employees all these capabilities to be able to go to the web from their work computer, go to their personal emails to do X, Y and Z. But you need to stop and think about the business risk you're opening your organization up to by allowing your users to do all those things that are not work-related on your computer," he says.

Third, investment in adequate and appropriate malware threat protection technology is critical, he says.

A combination of the three of these — education, workplace policy and technology — comprises a strong defense, and these defenses are going to become more necessary as ransomware attacks ramp up.

"What these attacks are telling us is this is the reality we're in today," Mr. McMillan says. "You either embrace it and figure out how you're going to get smarter and avoid the risks, or you're going to wait until you're the next victim."

More articles on ransomware:

Lawmaker considering bill requiring hospitals to report ransomware attacks 
8 latest ransomware attacks 
NYT, BBC among websites hit with ransomware in advertisements 

Copyright © 2023 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.


Featured Whitepapers

Featured Webinars