Cecil Pineda
Responding to healthcare cyberattacks: To pay or not to pay?
December 09, 2024
By Cecil Pineda
With healthcare organizations facing a surge in ransomware attacks, providers who are victims of such attacks are confronted with a difficult decision – whether to pay a ransom or resist.
At one end of the spectrum, paying the ransom can quickly restore critical operations and protect patient information, potentially preventing severe disruptions in care. On the other end, paying potentially encourages further attacks and maintains the possibility that attackers may not fully restore access or may demand additional payments.
Recently, there has been ample news about healthcare ransomware attacks. Among the more notable ones, Change Healthcare paid a $22 million ransom and still did not receive its data back. Separately, Cencora, the drug distributor formerly known as AmerisourceBergen, paid a record $75 million in ransom, marking the largest known cyberextortion payment ever recorded.
One thing that is not in question is that healthcare organizations are under threat from ransomware attacks like never before. Worldwide ransomware attacks against the healthcare sector nearly doubled from 2022 to 2023, with a total of 389 claimed victims in 2023, according to the U.S. Office of the Director of National Intelligence (DNI). In the U.S. alone, attacks against the healthcare sector grew 128% to 258 victims in 2023.
When hospitals are attacked by ransomware attacks, the consequences can be dire, potentially resulting disrupted patient care, including delayed medical procedures and strained acute care delivery and capacity, according to DNI.
Why healthcare?
Primarily, prominent threat actors understand that healthcare organizations place a high priority on patient safety and continuity of operations - meaning that healthcare institutions are more likely to respond to cyber extortion threats.
Healthcare organizations hold a large amount of protected health information, which is particularly valuable to criminals, making them more alluring targets for bad actors. Businesses will consider paying to protect this information from being published online.
This industry is particularly vulnerable to ransomware attacks due to a mix of old and new technologies. For example, hospitals often operate numerous legacy information systems that are vulnerable, in some cases because they are no longer being serviced by vendors. Hospitals are also highly dependent on newer technologies, such as devices connected to the Internet of Things (IoT), whose sheer number creates vulnerabilities.
Indeed, in 2024, healthcare was the most expensive industry for responding to and recovering from data breaches – as it has been every year since at least 2011, according to a report from IBM. The average cost for a healthcare breach was $9.8 million, while finance ranked second at $6.1 million.
Being the target of cybercriminals is obviously an uncomfortable and difficult position for any executive. Sometimes, making the best choice is largely a question of opting for the lesser of two evils. When faced with direct threats from ransomware criminals, the following are a few considerations hospital and health system leaders should consider:
• Perform a thorough risk analysis: Work closely with a team of IT security experts, legal counsel, law enforcement, federal authorities, and external experts in cybersecurity threats to understand the advantages and disadvantages of paying up as well as holding out. Ultimately, the decision around paying a ransomware threat is not a technical one, but a business decision.
• Understand who you’re dealing with: Looking into the history of the threat actor and what they have done in the past. Many will likely do what they say (i.e., leave you alone) – if you pay up. But obviously it’s impossible to take them at their word. Try to ascertain whether there is any pattern to how the attackers are likely to respond, regardless of which response you choose.
• Don’t go it alone: Layer security technologies on top of one another to strengthen your defenses. For example, use an advanced anti-malware solution, and outsource 24x7 monitoring services to a reliable third-party expert. Also important: Your own people are your best defense, so ensure that they receive cybersecurity training.
• Prepare with tabletop exercises: While nothing can totally prepare health systems for the real thing, the process of practicing a response to security threats helps employees get in the right mindset and become familiar with the type of decision-making that will be required. Practice often, use a variety of common incident scenarios, and involve everyone – internal and external teams.
• Do not forget your backups: Majority of successful ransomware recovery are due to regular tested backup and recovery processes.
The unfortunate reality for health systems and hospitals today is that ransomware attacks are less a question of “if” and more a question of “when.” While paying the ransom may seem like a quick fix to restore critical services and protect patient data, it comes with considerable risks – both business and legal risks. As healthcare continues to be a prime target for cybercriminals, driven by the sector’s reliance on vulnerable legacy systems and highly valuable patient information, it is essential for healthcare leaders to be proactive. Ultimately, informed decision-making is critical to navigating the complex and dangerous landscape of ransomware attacks. And healthcare organizations should prepare for them as if they will be confronted with one tomorrow.
So, do you pay? Really depends on many factors and considerations and every organization will have a different stance. Those decisions should have been made at the executive level even before an incident. And those decisions can change when the dreaded event has arrived at your doorstep.
About the author: Cecil Pineda is the CISO and SVP at R1 – a global healthcare organization with more than 30K employees in the US, India, and the Philippines. Cecil leads a team of cybersecurity professionals and is responsible for the security of its entire infrastructure. Cecil is also the Co-Founder of CISOXC – a professional organization bringing all cybersecurity leaders to various events including large conferences and symposiums. His organization has donated over $350K to various charities. He also served as the CISO at DFW International Airport and held leadership positions at GameStop, TXU Energy, Boeing, CVS Health, and EY. He is an active member of the DFW CISO community, various cybersecurity professional organizations (ISC2, ISACA, IAPP, ISSA, and others).
With healthcare organizations facing a surge in ransomware attacks, providers who are victims of such attacks are confronted with a difficult decision – whether to pay a ransom or resist.
At one end of the spectrum, paying the ransom can quickly restore critical operations and protect patient information, potentially preventing severe disruptions in care. On the other end, paying potentially encourages further attacks and maintains the possibility that attackers may not fully restore access or may demand additional payments.
Recently, there has been ample news about healthcare ransomware attacks. Among the more notable ones, Change Healthcare paid a $22 million ransom and still did not receive its data back. Separately, Cencora, the drug distributor formerly known as AmerisourceBergen, paid a record $75 million in ransom, marking the largest known cyberextortion payment ever recorded.
One thing that is not in question is that healthcare organizations are under threat from ransomware attacks like never before. Worldwide ransomware attacks against the healthcare sector nearly doubled from 2022 to 2023, with a total of 389 claimed victims in 2023, according to the U.S. Office of the Director of National Intelligence (DNI). In the U.S. alone, attacks against the healthcare sector grew 128% to 258 victims in 2023.
When hospitals are attacked by ransomware attacks, the consequences can be dire, potentially resulting disrupted patient care, including delayed medical procedures and strained acute care delivery and capacity, according to DNI.
Why healthcare?
Primarily, prominent threat actors understand that healthcare organizations place a high priority on patient safety and continuity of operations - meaning that healthcare institutions are more likely to respond to cyber extortion threats.
Healthcare organizations hold a large amount of protected health information, which is particularly valuable to criminals, making them more alluring targets for bad actors. Businesses will consider paying to protect this information from being published online.
This industry is particularly vulnerable to ransomware attacks due to a mix of old and new technologies. For example, hospitals often operate numerous legacy information systems that are vulnerable, in some cases because they are no longer being serviced by vendors. Hospitals are also highly dependent on newer technologies, such as devices connected to the Internet of Things (IoT), whose sheer number creates vulnerabilities.
Indeed, in 2024, healthcare was the most expensive industry for responding to and recovering from data breaches – as it has been every year since at least 2011, according to a report from IBM. The average cost for a healthcare breach was $9.8 million, while finance ranked second at $6.1 million.
Being the target of cybercriminals is obviously an uncomfortable and difficult position for any executive. Sometimes, making the best choice is largely a question of opting for the lesser of two evils. When faced with direct threats from ransomware criminals, the following are a few considerations hospital and health system leaders should consider:
• Perform a thorough risk analysis: Work closely with a team of IT security experts, legal counsel, law enforcement, federal authorities, and external experts in cybersecurity threats to understand the advantages and disadvantages of paying up as well as holding out. Ultimately, the decision around paying a ransomware threat is not a technical one, but a business decision.
• Understand who you’re dealing with: Looking into the history of the threat actor and what they have done in the past. Many will likely do what they say (i.e., leave you alone) – if you pay up. But obviously it’s impossible to take them at their word. Try to ascertain whether there is any pattern to how the attackers are likely to respond, regardless of which response you choose.
• Don’t go it alone: Layer security technologies on top of one another to strengthen your defenses. For example, use an advanced anti-malware solution, and outsource 24x7 monitoring services to a reliable third-party expert. Also important: Your own people are your best defense, so ensure that they receive cybersecurity training.
• Prepare with tabletop exercises: While nothing can totally prepare health systems for the real thing, the process of practicing a response to security threats helps employees get in the right mindset and become familiar with the type of decision-making that will be required. Practice often, use a variety of common incident scenarios, and involve everyone – internal and external teams.
• Do not forget your backups: Majority of successful ransomware recovery are due to regular tested backup and recovery processes.
The unfortunate reality for health systems and hospitals today is that ransomware attacks are less a question of “if” and more a question of “when.” While paying the ransom may seem like a quick fix to restore critical services and protect patient data, it comes with considerable risks – both business and legal risks. As healthcare continues to be a prime target for cybercriminals, driven by the sector’s reliance on vulnerable legacy systems and highly valuable patient information, it is essential for healthcare leaders to be proactive. Ultimately, informed decision-making is critical to navigating the complex and dangerous landscape of ransomware attacks. And healthcare organizations should prepare for them as if they will be confronted with one tomorrow.
So, do you pay? Really depends on many factors and considerations and every organization will have a different stance. Those decisions should have been made at the executive level even before an incident. And those decisions can change when the dreaded event has arrived at your doorstep.
About the author: Cecil Pineda is the CISO and SVP at R1 – a global healthcare organization with more than 30K employees in the US, India, and the Philippines. Cecil leads a team of cybersecurity professionals and is responsible for the security of its entire infrastructure. Cecil is also the Co-Founder of CISOXC – a professional organization bringing all cybersecurity leaders to various events including large conferences and symposiums. His organization has donated over $350K to various charities. He also served as the CISO at DFW International Airport and held leadership positions at GameStop, TXU Energy, Boeing, CVS Health, and EY. He is an active member of the DFW CISO community, various cybersecurity professional organizations (ISC2, ISACA, IAPP, ISSA, and others).