Global Edition
HIMSS21

Ransomware attacks: To pay, or not to pay?

While it may make sense for healthcare organizations to accede to cybercriminals' demands in the interest of patient safety and business continuity, one expert at HIMSS21 said it's time to "disrupt the economic balance here."
By Mike Miliard
August 10, 2021
01:36 PM

(L-R) Michael Coates, Keren Elazari, Alex Stamos, Michael S. Rogers and Jigar Kadakia

Photo: Oscar and Associates for HIMSS Media

LAS VEGAS – The FBI and Department of Homeland Security have always recommended against paying up when cybercriminals demand exorbitant bitcoin deposits to decrypt files seized by ransomware.

But in a healthcare setting, where continuity is critical and often a matter of life and death, that advice is not so cut-and-dried.

During a HIMSS21 keynote on Tuesday morning, a group of security experts debated a crucial question that more and more healthcare organizations have been asking themselves recently: to pay, or not to pay?

The panel – retired Admiral Michael S. Rogers, former director of the National Security Agency and former Commander of the U.S. Cyber Command; Alex Stamos, founding partner at Krebs Stamos Group and former security chief for Facebook and Yahoo; Michael Coates, cofounder and CEO of Altitude Networks and former CISO at Twitter; Israeli cybersecurity analyst, author and researcher Keren Elazari; and Jigar Kadakia, chief information security and privacy officer at Mass General Brigham – all had different opinions on the topic.

"There's no broad legal prohibition in the U.S. against a company paying ransom, with one notable exception," Adm. Rogers noted. "It is illegal to pay ransom to a group, individual, nation state or entity that's been sanctioned, either by the U.S., the United Nations or any other international body."

But whether you pay "should be a different conversation than should you be talking to these individuals," Rogers added.

"I always say you should be speaking to the criminals, for two reasons: one, it can give you time – time to help your defenses and help your organization respond – and two, it can sometimes be a source of insight into what this actor has done."

While the former Cyber Command chief noted that his "personal and professional preference has always been not to pay," he did acknowledge that there are "some circumstances where some organizations think it's the appropriate thing to do. I think it's appropriate when we're talking about life or death, and that's certainly a challenge within the healthcare arena."

His advice? "Rather than having a concrete 'always' or 'never,' think about the criteria you will use to make that decision, should you find yourself in a ransomware crisis."

Stamos took a different view, arguing that ransomware payments should be made illegal in most cases.

"The great evil genius of ransomware is that, in the micro picture, if you are a victim, and you've come in on Monday morning, and your exchange servers are locked up, and none of your systems are working, and people have no idea what the hell they're doing that day, and you've got a ransom alert saying, 'We've got all your data,' It almost always makes logical sense to pay," he explained.

"For all your stakeholders, your employees, your shareholders – in this case your patients – it probably makes sense to pay," he said.

"And that's the genius of it: All of the incentives are lined up that it's probably cheaper to pay a couple million dollars. Because the moment you call a DFIR [digital forensics and incident response] company and outside counsel, you're at seven figures in billing already. So it's cheaper to pay."

That's why "we need to outlaw ransom payments," he said.

"Generally today, companies do not face legal sanction for this. You have the FBI saying please don't pay. But they have no way to really enforce that.' And in the moment you're not going to take that advice."

That's where the Office of Foreign Assets Control should come in, said Stamos, referring to the financial intelligence and enforcement arm of the U.S. Treasury Department, which enforces trade sanctions to support U.S. national security.

"What I would like to see is I'd like to see the top 10, top 20 ransomware teams all designated as OFAC actors," he said. "While that technically would not outlaw all ransom payments, it practically would because you would have no idea if you're operating with one of those in that capacity.

"That's the only way we can disrupt the economic balance here, because the economics are just working out way too well on the attackers' side."

Elazari agreed that "it's the perfect crime, ransomware. 'We steal your access to your information and, if you don't pay us, we're going to give your information to everyone else.' And I don't think that's going to go away anytime soon. It's very successful, and they're just getting started. They're evolving, they're sophisticated, they change their methods all the time."

Her advice to healthcare organizations that find themselves in hackers' crosshairs: "If you're considering paying, definitely negotiate. From what I've seen, there's a lot of times where negotiating can half the price or bring it down to a manageable amount.

At the same time, Stamos joked, "it's amazing how bad the ransomware people are at negotiating. They'll throw out a Dr. Evil number like $50 million dollars."

"We'll give you $2 million. 'OK,'" said Elazari with a laugh.

"In the negotiating process, you learn more. You learn about their motivations, you learn maybe details that could assist in investigation and enforcement."

"Certainly, I think we have to be more prepared," she added. "Don't do it alone. That's my message. Find out who you are and trust to partner with. You need to know who your Ghostbusters are, so you know who you're gonna call when something happens."

"One of the challenges here is that some of the skills that are needed are outside the realm of what most organizations have within them," said Rogers. "Most organizations do not have folks who know about bitcoin wallets or are familiar with the negotiation piece.

'One of the things you need to think about in advance is what are the skills, what are the capabilities to do with the ransomware that they have to get from the outside?" he said.

Hospitals and health systems are in a unique and challenging position when it comes to ransomware, Coates acknowledged.

"The goal of your organization is to protect lives and humans. And we need to boil it down to that question. It's continuity. You need to get systems up and running. You need to save lives. When you find yourself in that situation, yes, it may make sense to pay the ransom."

His advice: "If you're not in that situation now, use that breathing room to figure out a plan of attack beforehand."

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.

HIMSS21 Coverage

An inside look at the innovation, education, technology, networking and key events at the HIMSS21 Global Conference & Exhibition in Las Vegas.

Topics: 
Financial/Revenue Cycle Management, HIMSS21, Privacy & Security

More regional news

Chris Baird of OptConnect on RPM

How IoT is transforming remote patient monitoring

By
Bill Siwicki
November 04, 2024
Cybersecurity experts John Riggi and Richard Staynings speak at the HIMSS Healthcare Cybersecurity Forum.

Majority of cyberattacks are through third-party vendors

By
Susan Morse
November 04, 2024
Abstract of cloud and orbs in concentric circles

Altera makes comprehensive Azure-based EHR available

By
Andrea Fox
November 04, 2024
Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Cybersecurity experts John Riggi and Richard Staynings speak at the HIMSS Healthcare Cybersecurity Forum.
Majority of cyberattacks are through third-party vendors

Most Read

How AI is transforming cybersecurity, on defense and offense
Generative AI is this CISO's 'really eager intern'
HIMSSCast: Toward safer and more secure use of AI
Q&A: How redundancy enabled resilience after Crowdstrike outage
What providers need to know about migrating their EHR to the cloud
The Light Collective amplifies its call for patient data rights

Research

White Papers

More Whitepapers

Patient Engagement
Patient Engagement
Financial/Revenue Cycle Management

Webinars

More Webinars

Imaging
Interoperability
Artificial Intelligence

Video

Jonathan Bauer at Atlantic General Hospital_Healthcare Cybersecurity Forum 2024
Cybersecurity focus and funding grow from big events
Darren Lacey at Johns Hopkins_Healthcare Cybersecurity Forum 2024
How AI can boost cybersecurity
Dennis Chornenky at UC Davis Health_PART 2_AI in healthcare concept art Photo by Just_Super/E+/Getty Images
Chief AI officer: Multidimensional tech needs multidimensional leadership
Dr Der-Yang Cho at China Medical University Hospital_HIMSS24 APAC
A Taiwanese hospital's commitment to healthcare AI

More Stories

Doctor looks at a desktop computer screen in a medical office
Vendor AI Roundup: Enhanced EHR offerings designed to give practices a leg up
Dennis Chornenky at UC Davis Health_PART 1_AI in healthcare concept art Photo by Just_Super/E+/Getty Images
UC Davis Health's inaugural AI chief discusses the responsibilities of the role
Greg Garcia of HSCC at the HIMSS Healthcare Cybersecurity Forum
Work like 'a beehive, an ant colony' to protect against cyber intruders
Hands use a Medtronic device on a patient's hand to aid in testing pulse oximetry quality
Medtronic dismissed from pulse oximeter lawsuit, FDA still working on guidance
Elena Branche of Druid AI on AI
Cutting through the AI hype to ensure investments have impacts
Dr. Don Rucker at 1upHealth_Physician at laptop with medical data Photo by Tippapatt/iStock/Getty Images Plus
Looking under the hood of Medicare Advantage star ratings
Clinician reviews medical notes on a tablet
OpenAI's general purpose speech recognition model is flawed, researchers say
Oracle booth at HIMSS
New Oracle EHR promises AI-enabled reinvention