Cyberattacks have risen in frequency over the past few years and that pace is only expected to accelerate as COVID-19 lingers in the U.S. But what's the best strategy for healthcare organizations hit with a ransomware attack — should they pay to restore their data, or not?
There's no one clear answer, cybersecurity executives said Tuesday at the HIMSS21 conference in Las Vegas. But even as hackers have ramped up their operations during the COVID-19 crisis, so too do payers and providers need to prepare for attacks that seem increasingly inevitable.
"I just think we really need to step back and reassess here," Michael Rogers, director of the National Security Agency during the Obama administration, said.
To pay or not to pay
Healthcare companies were especially vulnerable to cyberattacks even before COVID-19, as increased investment in technology and a growing focus on data sharing, coupled with outdated infrastructure — including underfunding IT departments and legacy medical devices with little-to-no cybersecurity features — have exponentially increased the number of potential infiltration points for cyberattacks.
Fewer than half of healthcare organizations met national cybersecurity standards in 2019, even as cyberattacks grew in complexity, according to consultancy CynergisTek.
One such attack popular with hackers is ransomware, a type of malware that doesn't access or steal an organization's data, but instead extorts users by encrypting it until they pay to regain access.
More than a third of healthcare organizations were hit by a ransomware attack last year, according to cybersecurity company Sophos. Roughly a third of medical companies that had data stolen paid to recover their information, which is actually lower than estimates in other industries. Recent research by the Neustar International Security Council found six in 10 organizations said they would pay hackers for the decryption key in event of a ransomware attack.
It's technically illegal in the U.S. for a company to pay a ransom to an individual, group or entity that's been sanctioned by a government, so healthcare companies need to make sure their lawyers aren't involved if they decide to pay up, said Michael Coates, former chief information security officer for Twitter.
But "whether you pay should be a different conversation than should you be in conversation with the entities who are doing this," Coates said.
Engaging in talks with cyber criminals — regardless of your willingness to pay — gives you time to respond and loop in law enforcement, along with insight into how the criminals might have gained access to your organization.
"I don't think there's a single yes or no," Coates said, though "my personal professional perspective has always been not to pay."
But "it almost always makes logical sense to pay," especially in healthcare, said Alex Stamos, Facebook's former chief security officer. With patient lives on the line, continuity of care is essential — and it might cost more to fight the attack by halting operations and bringing in pricey outside cybersecurity consultants.
In one of the first high-profile ransomware attacks in healthcare, Hollywood Presbyterian Medical Center in Los Angeles chose to pay $17,000 in bitcoin to hackers in 2016 to recover its data.
According to Sophos, the average healthcare ransom payment is roughly $131,000.
"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," CEO Alan Stefanek said in a statement defending his decision at the time. "In the best interest of restoring normal operations, we did this."
By comparison, hospital chain Universal Health Services fell victim to a massive cyberattack in September and elected to fight the malware, shutting down its digital operations and diverting ambulance traffic and scheduled procedures to competitors.
The incident — one of the largest medical cyberattacks in U.S. history — eventually cost the operator some $67 million pre-tax.
"If you're considering paying, definitely negotiate," said cybersecurity analyst Keren Elazari. "There's a lot of times where the negotiation can halve the price, or bring it to a more manageable amount."
But at the end of the day the decision goes beyond finances: In healthcare, it's a moral judgement, too. In September, a patient died as a result of delayed care after University Hospital Düsseldorf in Germany was forced to turn patients away from its emergency room after a ransomware attack.
"It's continuity," Coates said. "You need to get those systems up and running. You need to save lives."
Resiliency and survivability
That rising interconnectedness of medical delivery and technology, along with an extensive use of third-party software vendors for clinical, revenue cycle management and other back-end functions, means the healthcare sector will remain vulnerable to breaches, experts say.
So it's now, in the period between attacks, when organizations should be investing heavily in their IT infrastructure and readiness plans, according to the panelists. Currently, security experts are experiencing a strategic sea change in how they counter cyberattacks, shifting from a focus on shoring up defense — an increasingly outdated and ineffective plan, given the increasing volume and complexity of cyberattacks, coupled with the massive size of healthcare organization's IT surfaces that need protection — to survivability.
Panelists recommended companies assess their IT strengths and weaknesses to know how to prepare, even role-playing a breach to see how their contingency processes play out and workforce responds.
That could even include "red team testing," suggested Elazari, where companies bring in friendly hackers and have them test IT systems the way true attackers would, to identify weak spots.
Additionally, it's important to have a culture shift, Stamos said, moving away from blaming just security personnel for breaches to a more supportive environment where security is a universal goal.
"It should be boring," Coates said. "What builds resiliency in cybersecurity is thinking about fundamentals. And that is boring, and it's also hard."
Data suggests the desire for increased investment in cybersecurity is there in healthcare, even if the urgency isn't. According to a Moody's report published in May, 37% of hospital executives say cybersecurity performance is an organizational objective. And, though nonprofit providers spend just 5% of their budgets on cybersecurity, that's still up from just 3% in 2018.
But with industry trends continuing to unsilo IT operations and incentivize technological adoption, "you have to rethink how you position yourself in this new normal you're in. Maybe your priorities need to change," Elazari said. "Survivability is key, and security isn't a destination. You don't get there and you're done. It's a journey."