Hospitals, MedCity Influencers

It doesn’t pay to pay a ransom – especially in healthcare

While you may rid yourself of one attacker by meeting their demands, you send a sign to threat actors around the world that you are willing to negotiate.

Ransomware as a concept is fairly simple: cybercriminals attain access to a computer and then, as the name suggests, hold its access and all its data hostage until money is transferred to them. It’s extortion, at a unique and modern technological level, that is currently running ramped.

Within the healthcare industry specifically, this is of particular concern – projected ransomware will cost the industry over $20 million. And providers, rightly so, are anticipating the worst. A recent poll shows that 63% of healthcare providers expect their organization will be attacked within the next year. That isn’t even a coin flip.

FBI and the Department of Homeland Security have strong recommendations against paying hackers who have seized your files in a ransomware attack. But in the moment, when your data is being held hostage and your operations are a literal matter of life and death, it’s harder to abide by this outside advice.

So, let’s look at the practical reasons why it doesn’t pay off to pay attackers and ways you can prepare your organization to avoid a big payoff in the future.

Should You Consider Paying The Ransom?

Very simply? No. The chief reason being that despite meeting threat actors’ demands, the probability of getting your complete archive of data back is very slim.

  1. More than a third of healthcare organizations that were hit with a ransomware attack chose to pay its attackers in order to get encrypted data back. And in return? The average healthcare provider got somewhere around two-thirds of its total data back at best. The same study showed that 29% got back 50% or less of its data, and only 8% got all data back after paying out demands.

Remember, there are no guarantees on receiving any data back in return for holding up your end of the transaction. You don’t know you’ll receive anything whatsoever, even if you talk to the friendliest of grifters.

  1. Attackers know when they have you on the ropes and have realized that if you are willing to pay the first demand, you’re likely willing to pay a second. This was the case with Kansas Heart Hospital. After paying out the demands from attackers, the hospital assumed it would receive the key to decrypt its data. Instead, they were threatened with a second demand.If you pay your attackers, you’ll likely be unable to keep that transaction of the media. Ransomware attacks make the news almost every day now and cybercriminals are carefully watching to see who is paying out. While you may rid yourself of one attacker by meeting their demands, you send a sign to threat actors around the world that you are willing to negotiate. As ransomware attacks swell to a $6 trillion business, the sheer volume and scale of attacks will make paying multiple ransom demands impossible.
  2. With the ongoing rise of ransomware, companies, including those in healthcare, have turned to cybersecurity insurance. And when a payment is made to attackers, it can send your insurance rate skyrocketing. Global cyber insurance pricing has already spiked by 32% in the last year.Even in the case that the insurance is used to pay the demand, expect premiums to be raised drastically. So while it’s a great idea to have cybersecurity insurance, keep in mind the lasting impact paying attacks will have on your monthly billing going forward. Eventually, that new cost will meet the original demand your attackers made anyway.

How To Avoid Paying

There are some very practical steps to fend off attackers and to take to protect yourself, your hospital, your business, your organization – and really anything you want protected at the ground level.

  1. By investing in a disaster recovery plan, you invest in control over the situation should an attack ever occur and allows you to take a restorative approach to attacks. Disaster recovery plans, paired with its cousin, backup recovery, are the surefire way to avoid paying a large sum and get operations back up and running quickly.

Disaster and backup recovery are the best insurance policies in your arsenal – yet only around 50% of hospitals have a fully detailed plan in place. Another 40% have a partially developed plan in place. Given the number of hospitals that believe they will be attacked in the next year, it would be wise to make this your first proactive step to battling ransomware.

  1. Cyberattacks will never be 100% prevented, which is why your next order of business should be to create an incident response plan. This will allow all stakeholders in your organization to immediately and efficiently move in the right direction and start addressing the threat.

An incident response plan will be your map for navigating both the threat and fallout, helping to minimize risk and mitigate downtime. Ensure your plan covers not just your immediate response, but extends into the following days, weeks and months after the attackers’ strike.

  1. Organizations need to take a layered approach to security to detect attacks ahead of time and protect themselves. A layered approach means implementing various solutions that secure the business at different touchpoints. In the long term, take an assessment of your security posture. Does it include the following – because it absolutely should:
  • Endpoint protection to keep all devices from being attacked inroads
  • Email filtering and spam protection to prevent employees – often the biggest security risk in an organization – from clicking on a dangerous or malicious link
  • Vulnerability management which will help minimize the attack surface
  • Security information and event management (SIEM)
  • Mobile device management

Remember these bad actors want you to think there’s an incredible level of immediacy that actually doesn’t exist. Your gutshot instinctual fears are the advantage they have. Everything is now or never. They create that ticking clock as a tactic to make you sweat.

Avoid giving into that fear and don’t pay the ransom. It’s easy to say, but far less easy to do when the hospital has been ground to a halt and patients are hanging in the balance. Simply put, cost/benefit analysis of playing demands proves that this is not the best strategy to content with attackers. Get proactive about preventing ransom attacks not and avoid the large payout in the future.

Photo: anyaberkut, Getty Images


Avatar photo
Avatar photo

Jim Bowers

Jim Bowers is a Security Architect for TBI Inc. An accomplished and seasoned security expert, Jim brings 20+ years of in-depth knowledge in engineering powerful security solutions. Having worked with notable companies in finance, healthcare, manufacturing, technology and more, he advises on complete security infrastructure, from assessments, vulnerabilities and risk management to phishing training/simulation, DDOS mitigation, endpoint protection and Managed SOC.

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.

Shares0
Shares0