Should hospitals pay up when it comes to ransomware?

Has the recent wave of ransomware attacks aimed at hospitals been a wakeup call for the healthcare industry? Or is this latest security plague just part of the new normal?

Ransomware has become a major threat to the U.S. healthcare industry this year. The high-profile attacks that involved Hollywood Presbyterian Hospital in Los Angeles, MedStar Health in Washington, D.C., and other healthcare systems are just the tip of the iceberg. Over half of hospitals surveyed recently by HIMSS Analytics and Healthcare IT News said they had been hit by ransomware attacks in the past year. Another 25 percent were unsure whether such attacks had occurred.

It’s not clear how many hospitals have paid ransoms to cyber-criminals to unencrypt their data and/or unlock their systems. Hollywood Presbyterian announced it had paid $17,000 to get its data back after being unable to use its EHR for 10 days. Methodist Hospital in Henderson, Ky., also reportedly paid $17,000. MedStar’s systems were at least partly down for nearly a week, but the organization didn’t say whether it had paid a ransom.

Asked whether they’d fork over the ransom payment if hackers had encrypted their hospital’s patient data, about half of the healthcare executives in the HIMSS Analytics survey said they wouldn’t. Forty-four percent said they were unsure, and just 5 percent said they would pay.

But experts say that the exponential growth of ransomware attacks indicates that some victims are yielding to the hackers’ demands. “The increase is related to the fact that attacks are successful because organizations are willing to pay. They will continue to rise as long as that continues to be the case,” says Nathan Gibson, director of IT operations/privacy officer for WVMI Quality Insights, based in Charleston, West Virginia.

Low-hanging fruit makes for easy pickings?

Another reason for the jump in ransomware incidents this year is that publicity about the attacks and hospitals’ vulnerability to them “has emboldened the bad guys,” says Mac McMillan, CEO of CynergisTek, an Austin, Texas-based IT security firm. In addition, he says, “There’s a very low risk of these people getting caught,” and there’s a potentially big payoff.

[Related: You’ve been hit with ransomware. Now what?]

McMillan agrees that $17,000 isn’t a huge sum for a hospital or healthcare system to pay to regain access to its data and to protect its patients and its reputation. “But the more you pay, the more it incents the hackers to do it,” he notes. “And the last thing you want to do is incent their behavior.” Also, Gibson observes, there’s no guarantee organizations will get their data back if they pay the ransom.

On the other hand, McMillan points out, “It’s easy to say, ‘We don’t pay criminals,’ if you’re not the one who’s locked out of your system or doesn’t have access to data. At the end of the day, you want to try hard not to pay that ransom. And the best way to do that is to be prepared to deal with the incident and to recover quickly.”

There are two basic forms of ransomware. One type prevents users from logging into the system, and the other encrypts the data; some attacks involve both kinds of malware.

McMillan says the crypto-ware version is the more dangerous of the two. “If a hospital is attacked by malware that locks the system up, it can survive that if it has good recovery procedures and an alternate site that IT people can use to reconstitute the environment. But once your data is encrypted and you no longer have access to your data, and if you don’t have the ability to recover quickly and reconstitute and provide your data from a backup, it’s very complicated to recover from that.”

Data backups are the key to surviving ransomware attacks. But some hospitals and physician practices don’t back up their data at all. This lack of security awareness puzzles McMillan. “It’s possible is that security is still not seen as a critical business function” in those organizations, he suggests.

Even if a hospital or a physician group does back up its data, it might do so only on a nightly basis. So, if a ransomware attack occurs and the organization uses its data backup to continue operations, the database will be missing everything that has been entered into the system since the previous evening, notes Gibson. That’s much better than nothing, but it will still send clinicians scrambling.

Many hospitals do near-real-time backups of data on mirrored servers. In case one server goes down, the other can take up the slack. “But if you have near real time backups, those backups will be vulnerable to attacks, because they’re online and available [to malware] on the network,” Gibson points out.

McMillan agrees that this poses a challenge. “You want to make sure you have good access controls and good separation between those two systems so that if malware breaks out in the first system, you can sever the connection between that and the backup very quickly,” he says.

Both experts concur that adding a second backup system could help organizations recover in case of a ransomware attack. Gibson suggests using a backup system that is offline most of the time and backs up the main system “every so often.” He’d also segment the redundant server to allow security controls to ferret out “malicious activities that can affect the backup.”

McMillan observes, “Cloud backup can be advantageous, because often, cloud vendors will back up data in multiple locations. And as soon as you know that something has been infected, you can sever that and make sure not all your backups are infected at the same time. Also, cloud vendors have good malware detectors and filters, so even if it doesn’t get caught in your environment, they may catch it before it infects the backup.”

[Related: 4 reasons not to pay up in a ransomware attack]

However, Gibson counters, many healthcare organizations are still wary of placing sensitive patient data in the cloud. One alternative, he says, is to segment online backup in a separate non-cloud system that uses a protocol that the malware is not trying to utilize.

“A lot of ransomware is looking for network shares and directly accessible systems,” he says. “If you have a backup that’s using a different protocol, the malware might not be able to reach that.”

An ounce of prevention …

Healthcare organizations can also protect themselves by using advanced malware detectors that quickly tip off security personnel when an intrusion occurs. Older antivirus software, McMillan notes, searches for malware with known signatures; but the newer forms of malware, including ransomware, lack those signatures. So the advanced detector searches for anomalies rather than just signatures.

“It can segregate that attachment or email or other delivery mechanism and put it in a quarantined area where it can be inspected,” he notes. “Most advanced detectors will block the unknown piece of code at the perimeter and send it to the cloud for analysis. If it’s harmless, it’ll send it back and let it through.”

Gibson agrees that every organization should have a “gateway server that filters email and Internet traffic.” The only problem with opening up attachments in a safe area to search for malware is that, in some cases, the ransomware is not executed until it contacts the server that sent it. So it might sit there and do nothing until an organization allows it into its network.

To protect against ransomware and other kinds of malware, says Gibson, every healthcare organization should assess its security vulnerabilities. “It’s important to have a security risk assessment and instant response plan to combat these types of threats,” he says. “HIPAA requires a risk analysis, so many of these controls and defenses should already be in place. Then it’s just a matter of continuing your security risk assessments on a continuous basis to meet new threats and enhance your security controls.”

Join the PC World newsletter!

Error: Please check your email address.

Tags healthransomeware attackers

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Ken Terry

Show Comments


Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >


Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >


Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >


Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles


PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?