Hospital system pays ransomware hackers: Did it make the right choice?

The epidemic of ransomware hackers targeting hospitals and other medical service providers doesn’t seem to be ending anytime soon. Hackensack Meridian Health, a New Jersey-based health provider that is the largest in the state with 17 hospitals under its umbrella, has decided to pay the hackers who disrupted their network. Earlier this month, as Hackensack Meridian Health stated to the media, the IT division noticed that there were specific operations being impeded by the ransomware. The statement, which is excerpted below, gives a decent picture of what was and was not affected by the ransomware:

Based on our investigation to date, we have no indication that any patient or team member information has been subject to unauthorized access or disclosure… [The attack affected] anything with computer software — scheduling and billing systems and labs and radiology… There have been delays in orders, lab work and they are having to double-check paperwork carefully to make sure everything is accurate.

On top of this, roughly 100 surgeries elective surgeries were forced to be rescheduled as the network was so compromised. It is perhaps due to this that Hackensack Meridian Health decided to pay the ransom, against the recommendations of cybersecurity experts. When people’s lives are at risk it is understandable that an organization would decide to make a less-than-ideal choice. What is perplexing is that this situation could have, and should have, been avoided as ransomware hackers focus on health-care providers more than any other target.

In an interview with Lindsey O’Donnell of Kaspersky Labs’ Threatpost, Joseph Carson, chief security scientist at Thycotic, had this to say on the incident:

It’s shocking that a few years after WannaCry and NotPetya, the health-care industry is still not prepared to deal with ransomware attacks… You would assume that the industry would have implemented an incident response plan and a solid backup/recovery process by now. However, we still see struggles once a system is infected as it spreads through the network, forcing IT to revert to pen and paper. We have to accept that people are going to click on stuff so we need to raise the priority of implementing the principle of least privilege, which will reduce the possibility of ransomware infecting systems and spreading throughout the network.

The fact is that ransomware hackers will continue to be powerful as long as organizations allow it. Once ransomware is rendered obsolete by better security practices, cybercriminals will be forced to move along.

Christiaan Colen