Over the past several years, ransomware attacks have become a steadily more virulent threat to healthcare organizations. Things have gotten even worse since the pandemic hit, as it has strained healthcare IT organizations to the limit and made them far more vulnerable to security breaches.
The latest wave of healthcare ransomware attacks has included “triple threat” events in which attackers not only demand payment from healthcare organizations but also ask for money from patients and business partners.
Of course, there’s no such thing as a good cybersecurity breach, but ransomware attacks seem to be particularly expensive and visible. During 2020, which saw 92 attacks affecting healthcare organizations, the average ransom paid out by health systems was $910,335, and when other expenses are added to the mix the true cost can be dramatically higher, according to a recent paper by security vendors Medigate and Crowdstrike.
In the paper, the two vendors note that in the wake of one attack last year on a U.S.-based university system, the hospital had to cancel or delay procedures and appointments for 40 days. The system also ended up furloughing or reassigning more than 150 staff members during the IT lockdown. Ultimately, the attack cost the institution an estimated $64 million.
The paper notes that the actual losses might exceed even this estimate. Estimates like the above often fail to include some major expenses, such as unbudgeted advertising spending hospitals take on in an effort to repair their reputation, the security firm said.
Aware of these trends, some state legislatures have been considering measures that would limit or even ban some ransomware payments entirely. While most of these limits would apply to state agencies or other local governmental authorities, some of the restrictions would apply to any entity that receives public funds or even all business organizations, according to a research article by legal firm Alston & Bird.
States which have considered such limits include New York, North Carolina, Pennsylvania and Texas. For example, a Pennsylvania bill would prohibit the use of state and local taxpayer money to make a payment. (This was the situation as of late summer of this year, according to the firm.)
The notion behind such efforts is to kill the incentive for cybercriminals to deploy ransomware in the first place. Some hospital leaders argue that if ransomware attackers didn’t get paid for their efforts, they would see these attacks as pointless.
I can see where they’re coming from. After all, it’s worth bearing in mind that even among those who paid out the ransom, about one-third of these organizations never saw their data fully restored. However, is there a time where paying the ransomware makes sense (ie. you have no other options)? And should the government ban something like this?
Banning payments to ransomware attackers seems likely to backfire if we go about it in a heavy-handed way. I don’t know what all the unintended consequences might be, but they’re lurking in the bushes without a doubt.
