- Politics
- Diversity, equity and inclusion
- Financial Decision Making
- Telehealth
- Patient Experience
- Leadership
- Point of Care Tools
- Product Solutions
- Management
- Technology
- Healthcare Transformation
- Data + Technology
- Safer Hospitals
- Business
- Providers in Practice
- Mergers and Acquisitions
- AI & Data Analytics
- Cybersecurity
- Interoperability & EHRs
- Medical Devices
- Pop Health Tech
- Precision Medicine
- Virtual Care
- Health equity
Cybersecurity experts weigh risks of hospitals paying ransom demands
In our special report, experts tell Chief Healthcare Executive that health systems should avoid paying if possible and focus on improving their defenses.
There are significant risks when hospitals pay the ransom in a cyberattack, security experts say.
Hundreds of hospitals and health systems have suffered cyberattacks in recent years, and many have agreed to pay the ransom. Federal authorities and most cybersecurity experts advise organizations against paying ransom demands, arguing that they encourage additional attacks and reward criminal groups.
In our special report, “Paying the Ransom,” Chief Healthcare Executive® interviewed several leading cybersecurity experts about the dilemma.
Experts acknowledge hospitals face hard decisions if ransomware gangs have locked up their electronic health records or stolen private patient data. While paying a ransom to protect patients may be the only option for some health systems, cybersecurity experts say hospitals must be aware of the potential problems.
“Even if you pay the ransom, it is not a guarantee that you're going to get the data back and it's going to be successful," says Crane Hassold, a cybersecurity consultant.
Ransomware gangs could ask for more money even after a ransom is paid, experts say. Hassold and other experts say even if the ransom is paid, it could take weeks to recover data and restore systems.
Patterson Cake, a cybersecurity consultant for Avertium, says, “I hate to reward the villains.”
Cake says there are circumstances where it’s understandable that some systems make the call to pay the ransom to protect patients. But he says he’d rather hospitals focus on building their defenses.
Lee Kim, the senior principal of cybersecurity and privacy for HIMSS, says she doesn’t advise health organizations to pay the ransom. Still, she says, “Different organizations are in different places in terms of whether they need to restore things in a hurry, whether they have really good backups where they can rebuild.”
Paying a ransom “ultimately is a business decision,” Kim says.
But she adds health systems should develop robust response plans, and even consider getting negotiators on retainer to deal with ransomware gangs.
Steve Cagle, CEO of Clearwater, says hospitals should strive to reduce their risks of major disruptions in a cyberattack.
“We do want to be in a position where we can recover, we have good backups in place, we have good procedures, we've tested those procedures, and if we've done all the right things, then we should be in a good position to not have to pay the ransom,” Cagle says.
