Paying the ransom: Hospitals face hard choices in cyberattacks | Special Report

Should we pay?

It’s the gut-wrenching question many hospital leaders have faced as healthcare systems have endured scores of ransomware attacks in recent years.

Large health systems, including CommonSpirit Health, have encountered ransomware attacks, but experts say smaller hospitals and systems are increasingly at risk.

Some cyberattacks have targeted the electronic medical records systems, while others are aimed at acquiring patient data and selling it on the dark web. Hundreds of data breaches involving private health data occur annually, affecting millions of Americans.

No one ever thinks paying off bad actors is an ideal course of action. However, some health systems have made the call to pay the criminals, and analysts say that’s one reason the attacks continue. Some health systems and hospitals will pay the money to restore patient care, resume normal operations and protect their information and reputation.

• Read more: Expect AI-powered cyberattacks targeting health systems

The FBI doesn’t support paying ransom demands. Federal authorities say organizations shouldn’t pay because it could only embolden criminals to launch other attacks. Most cybersecurity experts say it’s not advisable to pay the ransom, and it should be avoided at all costs.

But even experts who work to protect companies acknowledge it’s not always a black-and-white issue.

Patterson Cake, a consultant with Avertium, a cybersecurity firm, says he would prefer not paying the ransom. Still, in a recent interview with Chief Healthcare Executive®, he says he understands there are circumstances where some hospital leaders feel it’s the only responsible option for their patients, staff and organizations.

“Far be it for me, honestly, to espouse that any business entity should never pay the ransom,” Cake says. “That's really easy for me to say. That would be my strong preference. Number one, I hate to reward the villains.”

“There are obviously lots of complexities from federal regulations, moral questions and consequences,” he added. “I would never say never, I guess, to leave it as a potential option when it is legal and feasible, at least as a consideration.”

Cake and other cybersecurity experts say hospitals are better off investing time and energy into defenses so they can deter attacks, or at least minimize the risks and disruptions. (Cybersecurity experts discuss the question of paying the ransom in this video. The story continues below.)

Hospital leaders must develop plans for dealing with ransomware attacks, experts agree. ​​In a recent survey of healthcare IT professionals by the Ponemon Institute, nearly half (47%) said their organizations experienced a ransomware attack in the past two years. The survey found 45% of health IT pros reported complications from medical procedures due to ransomware attacks, up from 36% in 2021.

More healthcare leaders and cybersecurity experts are focusing on the risks of ransomware attacks to patient care. A ransomware attack that hit Scripps Health in 2021 resulted in higher patient volume at adjacent hospitals, and some stroke patients had to be transferred to other hospitals, according to a study in Jama Network Open.

• Read more: Cybersecurity and patient safety: Why it needs more attention

‘Digital gun pointed at your head’

The healthcare industry is more likely to pay ransom demands than other sectors, according to Sophos, a cybersecurity firm.

In a 2022 Sophos survey of healthcare IT professionals, a solid majority (61%) acknowledged that their organizations paid a ransom, well above the average of all industries (46%).

The White House is considering regulations that would prohibit companies from paying ransoms, Politico reported last month.

Anne Neuberger, President Biden’s deputy national security adviser for cyber and emerging technology, recently discussed the possibility at an event hosted by the Ransomware Task Force. She said there could be exceptions for healthcare organizations to save lives, including a provision for government approval to pay the ransom, Politico reported.

John Riggi, national advisor for cybersecurity for the American Hospital Association, advises against paying ransom demands. (Photo: AHA)

When hospitals are paying the ransom, they are doing so to protect patients, says John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.

“No one wants to pay the ransom,” Riggi tells Chief Healthcare Executive. “It's the equivalent of having a digital gun pointed at your head and at your patients.”

While he says economics are a consideration, Riggi says for hospital executives who have endured attacks, “If a decision is made to pay, it is based on patient safety issues.”

Riggi says more health systems are taking the stance that they won’t pay the ransom.

“I hear that more and more,” Riggi says.

More health systems are building their cybersecurity policies around the idea that they won’t pay, and are crafting their defense and response strategies with that in mind. “That's a very key anchor point to start with,” he says.

“The only way you can confidently say at least the intent is not to pay, is if you are prepared to deflect the attack, but we know we can't do that in all cases, and to be prepared to respond and recover,” he says.

Riggi advises organizations against giving in to ransom payments to help break the cycle. Ransomware groups are launching attacks because they’re working.

“You're incentivizing them to continue to attack,” Riggi says. “You're funding a criminal organization, which may have actual nation-state sponsorship and backing.”

And he adds, if a health system pays an organization with ties to North Korea or Iran, “you may be unintentionally funding their national strategic objectives, including for North Korea, their nuclear weapons program.”

“So there are far reaching potential strategic consequences and paying a ransom to a ransomware.”

Some organizations are refusing to pay.

In February, the Lehigh Valley Health Network disclosed it was hit with a ransomware attack by a gang known as BlackCat, a group with ties to Russia, according to authorities. Brian A. Nester, president and CEO of the Lehigh Valley Health Network, said in February that BlackCat demanded a ransom payment but the system “refused to pay this criminal enterprise.”

After Lehigh Valley refused to pay, the BlackCat group posted nude images online, and a cancer patient sued the organization, according to LehighValleyLive and other media reports.

Lehigh Valley Health Network declined comment for this story, saying the case is in litigation.

Ransomware attacks can cost hospitals millions of dollars. The average cost of a healthcare breach now tops $10 million, according to a report from IBM Security.

Citing the costs of a ransomware attack and other financial woes, St. Margaret’s Health, a hospital in Illinois, closed its doors earlier this month

• Read more: Cybersecurity in healthcare: Even with progress, vulnerabilities remain

‘No honor among thieves’

Cybersecurity experts point to the continued vulnerability of health systems. They say many hospitals still aren’t doing as much as they should to protect their systems.

Hospitals also face risks from the huge number of third parties and contractors that they deal with on a daily basis.

Lee Kim, senior principal of cybersecurity and privacy at HIMSS, says criminals may refuse to return data even after paying the ransom. (Photo: Ron Southwick)

Lee Kim, the senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society (HIMSS), advises against paying the ransom.

Bad actors could take the payment and simply demand more money, or they could only offer partial access to systems or information until the hospital pays again.

“There’s no honor among thieves,” Kim says.

For hospitals, the danger doesn’t end if they decide to pay the demands.

Crane Hassold, a cybersecurity consultant who led threat intelligence at Abnormal Security, says organizations need to be aware of the risks in paying.

“Even if you pay the ransom, it is not a guarantee that you're going to get data back and it's going to be successful,” he says. “There have been so many examples of you know, someone paying a ransom, and then not actually receiving a decryption key, or receiving a decryption key and it just not working.”

Hassold also says it’s going to take systems time, perhaps weeks, to restore their systems.

“It's not like you pay a ransom, they flip a switch, and all of a sudden you have all of your information back. That's not how it works,” he says.

Plus, if criminals have stolen patient data, they may leak it anyway or sell it.

Paying the ransom, Hassold says, “is not a foolproof guarantee.”

Preparing for attacks

For years, cybersecurity experts have been urging hospitals and health systems to bolster their defenses to repel ransomware attacks, or at least mitigate the risks.

Analysts have also advised health systems to develop robust plans to respond if - and perhaps when - an attack occurs.

Kim suggests hospitals should develop plans to deal with ransom demands, including lining up legal counsel, and even those who can negotiate with bad actors.

“It certainly makes sense if it's affordable or feasible to get cyber liability coverage, and also to even retain an incident response team and ransom negotiator on retainer, if and when you may need that,” Kim said. “Sometimes some healthcare organizations have been able to avoid paying the ransom at all, to negotiate down what they pay.”

“But to be clear, I'm not advocating that organizations should pay the ransom,” Kim said. “But sometimes, just like with any other situation, there could be a pressing reason why they may be caught by surprise, and they may not have any choice.”

Steve Cagle, the CEO of Clearwater, a cybersecurity firm, acknowledged the painful decision of paying a ransom. In an interview with Chief Healthcare Executive, he stresses that healthcare leaders should do whatever is possible to avoid paying.

“We don't want to be in a position where we have to do that,” Cagle says.

“We do want to be in a position where we can recover, we have good backups in place, we have good procedures, we've tested those procedures,” he explains. “And if we've done all the right things, then we should be in a good position to not have to pay the ransom, and to minimize the impact and detect the threat actor quickly, to contain the attack and to be able to get that attacker out.”

"It's a hard decision," he adds. "But ideally, we don't want to pay the ransom most of the times."

Get more: Steve Cagle of Clearwater discusses reducing the risks of ransomware attacks.