Why Some Healthcare Entities Pay RansomsIndiana Hospital Pays After Ransomware Attack, Citing Time Needed to Restore Systems
A recent incident involving an Indiana hospital that admitted to paying a $55,000 ransom to unlock data following a ransomware attack - despite having backup systems - spotlights the challenges faced by healthcare entities that require quick access to patient data.
See Also: Respond to Fraud in Milliseconds
The incident points to the need for organizations to regularly test their data recovery plans during "peace time," says Former FBI agent Jay Kramer, a partner at the law firm Lewis Brisbois. Those efforts should also test whether the entity has the needed staff and skill sets to recover data quickly, he stresses.
"If it's a large attack, it can take a significant effort to restore networks quickly," he says.
Ransom Paid in Bitcoins
Hancock Health, a healthcare system that includes Hancock Regional Hospital and more than 20 other healthcare facilities, says it paid four bitcoins to unlock its systems following a ransomware attack on Jan. 11.
"At that time of the transaction, [the bitcoin] equaled $55,000" a Hancock Health spokeswoman says in a statement provided to Information Security Media Group.
"The reason the ransom was paid was truly one of resources," the spokeswoman says. "It was quicker to get the network and systems back online and working by paying the ransom. Without paying the ransom, it would have taken weeks to restore all backups. The resources to restore backups would be far more than paying the ransom and being operational in a couple of days."
Hancock Health also did not want to risk delays in treating patients, including those with flu or injuries resulting from harsh winter weather, according to news website IndyStar.
The organization is taking steps to better position itself against cyberattacks, the spokeswoman says. "We have consulted with cybersecurity experts and have deployed the proper, precautionary artificial intelligence to help prevent future attacks. As I am sure you can imagine, the amount of backup data we have is beyond a quick, simple process. To restore our backup systems and data from scratch would take weeks."
Some experts say that, indeed, restoring data using backups isn't as easy as it sounds.
"Data synchronization across multiple systems is a challenge," says Tom Walsh, president of consultancy tw-Security. "Hospitals continue to function while the backups are being attempted to reload. Interfaces and automated batch processes move data all the time and that can cause data integrity problems due to data synchronization errors."
Too Much Transparency?
Kramer, the former FBI agent, says law enforcement officials generally advise cyberattack victims against paying ransom because it often leads to more cybercrime. "I respect [Hancock] in its effort to be transparent, but publicly admitting [to paying a ransom] is not helpful. That only encourages others to monetize attacks," he says.
Still, healthcare entities generally are pressured to at least publicly admitting they've suffered a ransomware attack due to reporting obligations under HIPAA. The Department of Health and Human Services' Office for Civil Rights in 2016 issued guidance saying "that most ransomware attacks are reportable breaches unless you can demonstrate a low probability of compromise" to PHI, Kramer notes. In ransomware attacks, while PHI is encrypted by attackers, "if it's also viewed or exfiltrated, it's still a reportable breach."
Far more organizations are likely paying ransoms that has been publicized, says David Finn, executive vice president at security consulting firm CynergisTek. Why? "Because the ransomware keeps coming," he says. "Cybercriminals run pretty efficient operations; they don't spend time or money on things that don't produce a return for them, just like any legitimate business."
Symantec's 2017 Internet Security Threat Report showed that globally, about 34 percent of consumers pay the ransom after a ransomware attack, Finn says. "In the U.S., that rate is 64 percent. It is safe to assume that those numbers translate pretty directly into enterprise operations."
Paying ransom doesn't guarantee an organizations will get its data back, Finn emphasizes. "The bad guys do share those lists of who pays and who doesn't pay," he adds. "Ransomware is offered as a service on the dark web and, again, like a good business, they advertise their successes."
Nevertheless, Finn understands why some organizations might opt to pay a ransom. "When you are shut down, in the middle of an operational crisis and patient care is at risk, potentially lives - and revenue - this is a very bad time to make a sound, rational decision," he says. "That is why you should have an incident response plan that addresses this type of attack and clear guidance/policy around paying or not paying and what specific circumstances or procedures would trigger or allow the paying of ransom."
Other healthcare entities have admitted paying a ransom to unlock data.
For instance, Hollywood Presbyterian Medical Center admitted paying $17,000 in bitcoin to unlock data in 2016, and Namaste Health Care, a small Missouri clinic, admitted paying an undisclosed ransom to unlock its data last August.
Re-Evaluate Recovery Plan
Finn says it's critical that entities re-evaluate their recovery plans to stay current.
"The bottom line here is that a restore from backup can take a long time if you are doing this 1990's style," he says. "The technology has changed drastically and the threat landscape has changed drastically. And if backups are not part of your security strategy in 2018, well, you need to backup and develop a new plan, strategy and architecture."
Determining an acceptable time frame for restoring data from a backup is a business decision that leaders of the organization should make, Finn stresses. "Once you have marching orders, we have cloud; we have hosted services; we have much faster storage and networks; we can stratify systems so not everything has to come up at once but are brought up in order of criticality."
Plus, organizations can take interim steps, he notes. "You might go to downtime procedures for four hours, or you might keep enough data locally but off-line so you can run for 24 hours. All this buys you the critical time to fully restore resources."
Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy, says healthcare entities can take several steps to better prepare for data recovery efforts, including maintaining up-to-date inventories of their hardware and data. Plus, they should provide "frequent training to help prevent ransomware instances in the first place. And make sure all systems are patched ASAP to keep ransomware from infiltrating through systems holes."
Mark Dill, partner and principal consultant at tw-Security, adds that regardless of which security control framework an organization uses, it should review the "Top-20" critical controls or perform a threat-specific ransomware readiness assessment. This will help to determine which current controls are ineffective and where a new tool, process, or application of IT talent is necessary.
"Once gaps are addressed, created incident-specific playbooks and exercise those playbooks in a tabletop," he suggests.
Health IT vendors and other third parties can also take steps to help fortify security of electronic health records systems and medical devices to make healthcare entities less vulnerable to ransomware attacks.
Vendors "need to build their technology with more security controls, such as encryption and two-factor authentication. These ransomware attacks are increasingly launched through IoT devices, and that is what most medical devices now are," Herold says.
"It is becoming more irresponsible of medical device manufacturers to continue to slough off responsibility and say it is too hard to build security controls into their devices and make CISOs take on that additional responsibility. Medical device makers need to wake up to the fact that they need to implement much more comprehensive controls into their devices; it is long overdue," she says.