2020 and 2021 created a veritable gauntlet of misfortune for hospitals — overworked staff in overcrowded facilities working desperately to contain a highly contagious virus. Other viruses crept in, too: Ransomware infiltrated hospital networks across the U.S. in record numbers, profiting from internal chaos and adding havoc to already overtaxed systems. Even worse, cybercriminals show no signs of slowing down in 2022.
Hospitals aren’t known for having robust cybersecurity defenses. They typically don’t have the budget, personnel, or bandwidth for modern security systems. But their internal systems are crucial to providing care: In a perfect world, they should experience 100% uptime — no system errors, no downtime — and be impenetrable. The risks are hard to overstate: Attackers with network access have the power to block access to vital patient data, disable life-saving alerts, trigger false alarms, halt procedures, and cause any number of otherwise avoidable disasters. Even a small network downtime is a crushing weight on already overburdened hospital staff.
When it comes to the question of meeting the demands of ransomware, conventional wisdom lands on the side of “hard no”. Often, the argument is a variation of, “We shouldn’t negotiate with terrorists!” Most authorities, including the FBI, advise against paying a ransom. There is no guarantee that an attacker will keep their end of the bargain and return stolen data or give back system access. Some groups are also known to extort their victims for double or triple payments. But for hospitals, the stakes are undeniably higher than they are with a financial institution. Losing a client’s bank account credentials is one thing — losing a patient is another.
In the fall of 2020, malware on an employee’s computer at the University of Vermont Medical Center (UVMC) led to a full-on cyber attack. The attackers included a file with information on how to contact them (a step UVMC opted not to take, assuming that further contact would only result in a ransom demand) in exchange for the tool to decrypt their infected files. The incident was estimated to have cost UVMC $50 million, mostly in lost revenue, and IT staff worked around the clock for a month to scrub their network systems. And this was a non-threatening attack, which only interfered with health records and payroll. Would it have been worthwhile to pay the ransom? Considering what’s at stake, what can a hospital do?
Over the last decade, some hospitals have opted to pay ransoms at an average of $131,000 in 2021. Obviously, this is much lower than the $50 million UVMC lost, but paying “reasonable” ransoms has led to another cost altogether: Now groups like FIN12 are attacking healthcare institutions more often, taking advantage of outdated security systems and threatening patients’ lives.
Though it may seem less costly and time-consuming on paper, giving in to an attacker’s demands is usually not the best method for dealing with ransomware. Authorities may advise a hospital to pay the ransom initially to spare patients at risk, but such a decision is not taken lightly and should not be made without guidance.
Step 1: Get help, fast, from an expert. Do not immediately pay the ransom or trust the cybercriminals.
Step 2: Isolate devices from the network, secure backups, and identify the source and goals of the attack to contain and minimize affected data.
Step 3: Report the attack to the FBI, state and local law enforcement, the Secret Service’s Electronic Crimes Task Force, the Internet Complaint Center, and the Federal Trade Commission. If your institution has cyber liability insurance, contact your insurance carrier.
Step 4: Though authorities may advise a hospital to pay the ransom to save a patient’s life, giving in to a cybercriminal’s demands does not guarantee decryption. Moreover, an attack’s success can lead to more incidents in the future. Follow your organization’s incident response plan — and weigh your options.
1. Always make backups of important documents, keep them off the network, and test your processes for restoring backups.
2. Assign staff to a cybersecurity response team.
3. Create and update an incident plan detailing what signs to watch for and how to react.