Ransomware attacks targeting the healthcare community are sending shockwaves through the industry. In late March, Washington DC-based MedStar Health became the latest in a series of providers to fall victim to ransomware.
The impact of a network-wide ransomware attack grinds operations to a standstill. Patient care is often at stake. In the wake of the MedStar attack, staff scrambled to provide services without access to emails and electronic patient records. It is not very surprising that Hollywood Presbyterian Medical Center in Los Angeles paid the perpetrators $17,000 in Bitcoin to regain access to their files after the February ransomware attack.
With these attacks, we’re seeing new attack strategies come into play. Ransomware, once a scourge largely against individuals, is now hitting companies and critical infrastructure where it hurts. These attacks demonstrate that data is becoming the new human ransom as criminals seek to cripple organizations by encrypting files with a private key – available at high cost – known only to the attacker.
When criminals target critical infrastructure, ransomware crosses an especially serious line, according to one of our partners who is a leading expert in cybersecurity law. “This case [the Hollywood Presbyterian incident] is an example of how cyber can impact the physical world – here, [it affects] the provision of medical services as some patients were diverted to other facilities,” says Tony Kim, global co-chair of cybersecurity at Orrick, Herrington & Sutcliffe LLP, a leading global law firm. “We’ve seen similar dynamics in relation to hacked vehicles, power grids, and other critical services.”
Criminals are also getting more aggressive in their attacks and demanding higher ransom payments, according to a partner who is a top expert on cyberinsurance. “Cyber extortion and ransomware are, without question, on the rise,” shares Toby Merrill, senior vice president, global cyber practice leader for Chubb, the world’s largest publicly traded property and casualty insurer. “A concerning aspect is that the demand values are increasing exponentially. What used to be a few thousand dollars with commoditized ransomware is turning into larger cyber extortion events."
The Hollywood Presbyterian hospital ransom was particularly vicious in that criminals sought an extremely high dollar payment of $3.4 million. The final amount negotiated, $17,000, was substantially less. Is this a new approach in which the terrorist expects the victim to negotiate, as with human ransoms? Start with an outrageous sum and settle for less? This figure is much higher than the average payout for ransomware. Will we see future ransomware victims adopt this practice of negotiating settlements to eke out maximum value from the payer?
Hospitals and companies can manage and minimize ransomware risk if they are prepared. These organizations must be as aggressive and flexible as the attackers to avoid hostile takeover of their networks, proprietary data and user information. Stay tuned for our next blog post on actionable steps organizations can take to guard against ransomware attacks.
-- Barnaby Page