Issue link: https://beckershealthcare.uberflip.com/i/674245
81 FINANCE HEALTH IT Client: C/S Group Job#: 10344 Name: C/S Acrovyn Wall Panels Ad Publication: Beckers Colors: CMYK Bleed: Yes Size: 8.375" x 10.875" Insertion: 2305 May 2016 Advertisers Index: Constuction Specialties, Inc. www.Acrovyn.com/WallPanels To Pay or Not to Pay Ransom: A Tale of 2 Hospitals By Akanksha Jayanthi A t least five hospitals reported ransowmare attacks in the past two months. For two of those hospitals, many of the basics of the incidents were the same — they both declared an internal state of emergency aer malware locked them out of their systems. However, the resolu- tions at the hospitals were vastly different. e first, and most public, incident happened at Hollywood Presbyterian Medical Center in Los Angeles, where in early February hackers shut- down the hospital network and locked physicians out of the EHR. e second occurred at Method- ist Hospital in Henderson, Ky., in March, where a ransomware virus limited the use of the hospitals web-based services. While Hollywood Presbyterian paid a $17,000 ransom, Methodist Hospital didn't spend a dime. e latter scenario, in which organizations do not pay anything, is actually more common, according to Mac McMillan, co-founder and CEO of healthcare security and privacy con- sulting firm CynergisTek. "Many of our hospi- tals do actually detect the ransomware when it comes in," Mr. McMillan says. "A lot are able to detect it . stop it and then physically remove it from their environment and rebuild those sys- tems…to get back up and running." at appears to be the case at Methodist Hospi- tal. A hospital statement indicates the information systems department immediately shut down the hospital's electronic data system to prevent the virus from spreading and activated a back up sys- tem while the main system was down. Now, the hospital is restructuring its network. No payment needed. (Methodist Hospital did not disclose how much ransom was demanded). is is the path to resolution Mr. McMillan says the security world prefers because when organiza- tions pay the ransom, it encourages other bad ac- tors to launch their own ransomware campaigns. It's an opportunistic industry. However, Mr. McMillan acknowledges it's an easier-said-than-done situation because security professionals aren't the ones directly dealing with the event or its fallout. "If you put yourself in these organizations' positions, you're facing a downtime that is costing the business millions of dollars. You're facing a situation where you're confronted with a public event," he says. "It's unfair armchair quarterbacking to say perhaps he didn't make the right decision. At the end of the day, he may have made the only decision that makes sense." Allen Stefanek, president and CEO of Hollywood Presbyterian, said in a statement the hospital de- cided to pay the ransom because it was "the quick- est and most efficient way to restore our systems and administrative functions…and obtain the decryption key. In the best interest of restoring normal operations, we did this." Aside from Mr. Stefanek's released statement, Hol- lywood Presbyterian has remained mum about the circumstances surrounding the cyberattack. However, Dave Kennedy, CEO and founder of information security firm TrustedSec, told CBS News the hospital likely paid the ransom because their backup system may not be strong enough to recover the data. "If they decided to pay the ransom, it probably means that they didn't have very good backups, they weren't able to recover the data, and that the data would have been lost if they didn't pay the ransom," he said. A growing threat ese two high-profile cases are just the tip of the ransomware iceberg in healthcare, Mr. Mc- Millan says, adding that the number of attempts is growing exponentially. One hospital client told Mr. McMillan that a month ago, they tal- lied approximately 3,000 suspected ransomware events in their filters a day. Now, that number has multiplied 10-fold to 30,000 a day. Again, the majority of such attacks are caught before they can take down a hospital's network. But, the increasing number of threats remains a concern for hospitals and health systems and is likely spurred by the public success of other bad actors, like those involved with Hollywood Presbyterian, have relative success. "e bad guys go where they need to go, and there's [been]…a fair amount of success with these most recent ransom attacks in health- care," Mr. McMillan says. Money matters While cyber attacks aren't rare in healthcare, ransomware is set apart from other types of malware because of the transactional element involved. While other players are seeking in- formation and data (though likely to sell the information down the road for money), ran- somware attacks seek the money up front. No matter how prepared hospitals are for cy- berattacks and detecting ransomware, it's nearly impossible to plan ahead monetarily or budget for this type of event. "You have no idea what the ransom is going to be," Mr. McMillan says. "Budgeting for it would be virtually impossible, other than pulling a number out of the air." Hollywood Presbyterian's ransom was slightly higher than cases in other industries. For ex- ample, the Tewksbury (Mass.) Police Depart- ment suffered a ransomware attack in April 2015 that encrypted arrest and incident records. Aer five days of trying to unlock the files, the police department paid the requested $500 ran- som. A Boston Globe article reporting the attack mentioned several other police departments that were also hit with ransomware, including Midlothian (Ill.) and Dickson County, Tenn., all of whose ransom was also right around $500. Instead of specifically budgeting for potential ransomware attacks, Mr. McMillan says such attacks are incidents organizations should be factoring into their business risk and using to determine what kind of insurance policies they may select. As for the payment, he says organi- zations likely turn to a fund reserved to handle unexpected expenses. Best defenses No organization is completely immune from a cyberattack, ransomware included, but much of a hospital's defenses lie with hospital staff. "e individual user…in many cases is at the cen- ter of this," Mr. McMillan says. "A lot of these ransomware attacks are started by somebody going to a site they shouldn't go to, download- ing something from the Internet they shouldn't download, clicking on an email message and giving up credentials, or doing something they shouldn't [be] in a phishing scam." Mr. McMillan reiterates the importance of employee training and education. He offers a three-pronged approach to eliminating human error that leads to malware attacks. e first step lies in better and more consistent experiential-based education so computer end users can better identify and avoid these types of attacks. Second, Mr. McMillan calls on hospital leaders to scrutinize their allowance of personal de- vices at work. "It's really nice to give your em- ployees all these capabilities to be able to go to the web from their work computer, go to their personal emails to do X, Y and Z. But you need to stop and think about the business risk you're opening your organization up to by allowing your users to do all those things that are not work-related on your computer," he says. ird, investment in adequate and appropriate malware threat protection technology is criti- cal, he says. A combination of the three of these — educa- tion, workplace policy and technology — com- prises a strong defense, and these defenses are going to become more necessary as ransom- ware attacks ramp up. "What these attacks are telling us is this is the reality we're in today," Mr. McMillan says. "You either embrace it and figure out how you're go- ing to get smarter and avoid the risks, or you're going to wait until you're the next victim." n