Ransomware against healthcare : to pay or not to pay?
Ransomware attacks are widespread and increasing, threatening the healthcare sector and other critical infrastructure. Often the quickest way to resolve the situation is to pay the ransom, but is that the right thing to do?
It’s easy to imagine the panic when your organization falls victim to a ransomware attack. Criminals can lock IT systems, steal data and demand payment – often millions of dollars – to allegedly return things to normal. It is paralysing for a business and can put lives at risk for an organisation like a hospital. As seen last summer, a ransomware attack forced the 200-bed non-profit Memorial Health System to suspend access to critical applications. The attack impacted nearly all the health system’s 64 clinics and three hospitals, forcing the cancellation of urgent surgeries and radiology exams. New patients were diverted to other facilities and staff also had to revert to pen and paper, thus, increasing patient waiting times. People’s lives are at stake.
As our Strategic Analysis Report highlighted, healthcare organizations are increasingly under attack. This is due to a combination of factors such as their criticality for patient health, that they are the gatekeepers of a trove of valuable and sensitive information, and – since the COVID-19 pandemic – healthcare has found itself at the center of inter-state rivalries.
In our analysis of cyberattacks against the healthcare sector, mapped in the Cyber Incident Tracer (CIT) #HEALTH and analysed in the Addendum to the Strategic Analysis Report we collected data on ransomware attacks in order to observe the trends and enhance transparency on the human and societal impacts of these types of attacks, which are occurring more and more frequently.
In the Enisa Threat Landscape report 2021 ransomware was assessed as the prime threat. Amid the disruption, victims face the difficult decision of whether or not to pay the ransom.
It’s an ethical and a practical dilemma. For critical infrastructure targets, such as hospitals, do you refuse to pay and accept the risk to life or do you pay and potentially incentivise further attacks and fund the perpetrators of these attacks? It’s a debate that we need to have.
Reasons to pay the ransom
In the abstract, most organizations argue against paying ransomware attackers. Not all of them stick to that, however. Some of the organizations who say that they don’t pay ransoms have been known to do so behind the scenes, or have a third party pay on their behalf.
Refusing to pay may seem an easy position to take until a healthcare facility is paralysed by an attack and people are at risk. Our analysis showed that ransomware attacks against the healthcare sector resulted in an average of 20 days of operational disruption, and 27% of ransomware incidents led to appointment cancellations. Then the decision to pay or not looks very different.
In a study by Sophos found that 34% of those whose data was encrypted paid the ransom to get their data back.
Healthcare organizations pay ransoms for a variety of reasons. In the first place, it is often the fastest way to restore operations and ensure continuity of services. Another key consideration in the decision making process is the availability of data backups and whether or not they have been encrypted in the attacks. Organizations also believe they are protecting staff and patient data from being leaked or compromised. Our analysis has shown that exposure or theft of data impacts over 70% of targeted healthcare organizations.
Reasons not to pay the ransom
Whilst recognizing the criticality of data backups to ensure business continuity and patient care in hospitals, unfortunately, paying a ransom is no guarantee that the attackers will return the data. Criminals who are unscrupulous enough to hold a hospital to ransom cannot be relied upon to keep their word. Even organizations that did get their data back know the attackers almost certainly kept a copy, which could be leaked later or sold on the underground market.
But the arguments against paying are ethical as well as practical. Ransomware is profit-driven and every organisation that pays up is supporting a criminal industry.
Around the world, there have been calls for laws against paying ransoms, on the assumption that making it illegal to pay would drastically reduce profits. The US Treasury has warned that consultants who help organisations to pay ransoms could face prosecution. However, some security experts fear that this would simply encourage criminals to increase attacks on critical infrastructure, where the risk from not paying is greater. In other instances, such as Australia there is a bill under consideration for mandatory reporting requirements when a ransom has been paid in response to a cyberattack. Sharing of information may be a means to empower investigations against the criminals who committed the attack, rather than the victim(s) of the attack.
Ultimately, if all organizations agreed to never pay ransoms, the number of attacks would drop significantly. The reality, though, is that there will always be some who are compelled to pay in an attempt to resolve the problem quickly, especially when lives are at stake. As our analysis showed there is a disproportionate impact on people and organizations as a result of ransomware attacks against the healthcare sector. So long as that is the case, ransomware operators will continue their attacks. At the CyberPeace Institute we see the need for more research into the stakes of the payment or non-payment of ransoms, including the perspective of victims of ransomware attacks, and the impact assessment of regulations imposing reporting of ransom payments.
Stéphane Duguin is the Chief Executive Officer of the CyberPeace Institute.
© Copyright: The concepts and information contained in this document are the property of the CyberPeace Institute, an independent non-governmental organization headquartered in Geneva, unless indicated otherwise from time to time throughout the document. This document may be reproduced, in whole or in part, provided that the CyberPeace Institute is referenced as author and copyright holder.