Ransomware has become a major threat to the U.S. healthcare industry this year. The high-profile attacks that involved Hollywood Presbyterian Hospital in Los Angeles, MedStar Health in Washington, D.C., and other healthcare systems are just the tip of the iceberg. Over half of hospitals surveyed recently by HIMSS Analytics and Healthcare IT News said they had been hit by ransomware attacks in the past year. Another 25 percent were unsure whether such attacks had occurred.
It’s not clear how many hospitals have paid ransoms to cyber-criminals to unencrypt their data and/or unlock their systems. Hollywood Presbyterian announced it had paid $17,000 to get its data back after being unable to use its EHR for 10 days. Methodist Hospital in Henderson, Ky., also reportedly paid $17,000. MedStar’s systems were at least partly down for nearly a week, but the organization didn’t say whether it had paid a ransom.
Asked whether they’d fork over the ransom payment if hackers had encrypted their hospital’s patient data, about half of the healthcare executives in the HIMSS Analytics survey said they wouldn’t. Forty-four percent said they were unsure, and just 5 percent said they would pay.
But experts say that the exponential growth of ransomware attacks indicates that some victims are yielding to the hackers’ demands. “The increase is related to the fact that attacks are successful because organizations are willing to pay. They will continue to rise as long as that continues to be the case,” says Nathan Gibson, director of IT operations/privacy officer for WVMI Quality Insights, based in Charleston, West Virginia.
Low-hanging fruit makes for easy pickings?
Another reason for the jump in ransomware incidents this year is that publicity about the attacks and hospitals’ vulnerability to them “has emboldened the bad guys,” says Mac McMillan, CEO of CynergisTek, an Austin, Texas-based IT security firm. In addition, he says, “There’s a very low risk of these people getting caught,” and there’s a potentially big payoff.
McMillan agrees that $17,000 isn’t a huge sum for a hospital or healthcare system to pay to regain access to its data and to protect its patients and its reputation. “But the more you pay, the more it incents the hackers to do it,” he notes. “And the last thing you want to do is incent their behavior.” Also, Gibson observes, there’s no guarantee organizations will get their data back if they pay the ransom.
On the other hand, McMillan points out, “It’s easy to say, ‘We don’t pay criminals,’ if you’re not the one who’s locked out of your system or doesn’t have access to data. At the end of the day, you want to try hard not to pay that ransom. And the best way to do that is to be prepared to deal with the incident and to recover quickly.”
Sign up for Computerworld eNewsletters.