As if healthcare organizations didn’t have enough to worry about when it comes to cyber security, several providers in highly publicized incidents have been hit with ransomware. In the absence of effective prevention to block this kind of health data hostage-taking, the question confronting the industry is: to pay or not to pay the ransom?
I myself have been the victim of ransomware. Needless to say, it’s not a very pleasant experience. The message I received on my laptop from the cyber criminals was simple and to the point: all of my files were now “protected” by strong encryption with RSA-2048 using CryptoWall 3.0 and encrypted with the public key, which was transferred to my computer via the Internet.
“This means that the structure and data within your files have been irrevocably changed, you will not be able to work with them, read them or see them; it is the same thing as losing them forever, but with our help, you can restore them,” stated the ransom note from the data abductors. “Decrypting of your files is only possible with the help of the private key and decrypt program, which is on our secret server.”
The warning concluded: “If you really value your data, then we suggest you do not waste valuable time searching for other solutions because they do not exist.” Thankfully, the files encrypted on my laptop were Word documents containing already published stories of mine, as well as high-resolution jpeg images for work that were easily replaced. Given the nominal value of the data, I immediately decided not to pay the ransom demanded by the cybercriminals.
I can certainly sympathize with healthcare organizations hit by similar kinds of ransomware, with data for thousands of patients potentially gone forever. The loss of that information could be devastating, not only for the organizations involved but for the individuals whose lives would be negatively impacted. I also recognize that it’s easy to condemn those that have paid a ransom to get data back.
At the same time, I believe that healthcare as an industry needs to make the decision not to give into the demands of cybercriminals who hold data hostage. Only through a united front against hackers who use ransomware will there be a chance of dissuading this kind of criminal activity.
Clearly, data and people should in no way be seen as equivalent. For those Americans who have been kidnapped and held hostage by armed groups overseas, it must be horrific for their families who are faced with the decision of paying a ransom to help free their loved ones. Nonetheless, in a very practical sense, paying ransoms makes Americans more inviting targets for kidnapping and endangers the lives of more of our fellow citizens here and abroad.
Likewise, a “no concessions” policy with regard to data hostage-takers is the most sensible approach for protecting health information from the threats of ransomware.
Obviously, we live in America, and providers and payers are free to do what is in their best interests as well as what they perceive to be in the best interest of their patients. Yet, they must carefully weigh their decisions because what they ultimately decide affects all providers down the road.
These kinds of ransomware attacks will surely continue, unless and until cybercriminals no longer have the financial incentive for taking data hostage in the first place.
Register or login for access to this item and much more
All Health Data Management content is archived after seven days.
Community members receive:
- All recent and archived articles
- Conference offers and updates
- A full menu of enewsletter options
- Web seminars, white papers, ebooks
Already have an account? Log In
Don't have an account? Register for Free Unlimited Access