Responding to a ransomware attack
When employees or the IT department suspect a ransomware attack is underway, cyber experts recommend isolating the “infected” part of the network, shutting down the computer system to prevent further damage, and securing backups.
Soon afterward, cyber criminals typically communicate their ransom demands electronically with instructions for payment. One practice described seeing a “skull and bones image” on its laptops with a link to instructions to pay the ransom demand in bitcoin.
Although you never want to pay criminals, it’s ultimately a business decision that every organization that’s affected by ransomware has to make, said Kathy Hughes, chief information security officer at Northwell Health in New York. “They need to weigh the cost and impact from paying a ransom against what they are able to recover, how long will it take, and how much will it cost,” she said.
While it may be tempting to pay a small ransom, such as $5,000, cyber experts warn that it doesn’t guarantee full access to the original data. About one-third (34%) of health care organizations whose data were encrypted paid the ransom to get their data back, according to a June 2021 HHS Report on Ransomware Trends. However, only 69% of the encrypted data was restored, the report states.
Criminals may also demand another payment, called “double extortion,” by threatening to post any extracted private patient or employee data on the dark web, said Ms. Hughes.
Practices sometimes choose not to pay the ransom when they know they can restore the backup files and rebuild the system for less than the ransom amount. However, it can take weeks to rebuild a fully operational IT system; meanwhile, the organization is losing thousands of dollars in patient revenue.
Criminals may retaliate against a practice that doesn’t pay the ransom by wiping the hard drives clean or posting the extracted medical, financial, and demographic data of patients on the dark web. Patients whose information has been extracted have filed class-action lawsuits against medical practices and organizations such as Scripps Health, in San Diego, claiming that they should have done more to keep their private information safe.
Experts also advise reporting the attack to local law enforcement officials, who may have cyber security experts on staff who will come on site and investigate the nature of the attack. They may also request help from the FBI’s professional cyber security team.
Having a cyber insurance policy may help offset some of the costs of an attack. However, make sure you have a good cyber security program, advised Mr. DeFord.
He suggests that small practices partner with large health systems that can donate their cyber security technology and related services legally under the updated Stark safe harbor rules. Otherwise, they may not meet the insurer’s requirements, or they may have to pay significantly higher rates.