Hospitals and Ransomware: The Temptation to PaySecurity Expert Kate Borten on Patient Safety Concerns
Some healthcare entities may be more likely than organizations in other sectors to pay extortionists to unlock data that's been encrypted in ransomware attacks because patients' lives are potentially at risk if data is unavailable, says privacy and security expert Kate Borten.
"Even though law enforcement would say 'don't pay, these guys are criminals, and we don't want to encourage criminal behavior, and you can't trust them,' ... the reality is that this is a business decision, and each organization needs to consider what the impact is," says Borten, founder and president of consulting firm The Marblehead Group.
"In healthcare, for provider organizations, the ultimate [consideration] is patient care, and if the attack has the potential to affect care of patients, then I think we see hospitals ... paying the ransom in some cases."
For example, Hollywood Presbyterian Medical Center in February said it paid attackers about $17,000 in bitcoin to unlock patient data after a ransomware scheme.
Healthcare entities need to keep in mind that there are other potential threats posed by ransomware beyond locking up patient information, Borten notes. "We can never assume that all it's doing is simply encrypting the data. That might be what we see because we can't get to our files, but there may be much more going on."
Organizations can avoid having to making a difficult decision about whether to pay a ransom after an attack, Borten says, if they take appropriate defensive precautions, such as properly backing up data to ensure availability.
In an interview at the Boston Fraud and Breach Prevention Summit, Borten also discusses:
- Why the healthcare sector has become the No. 1 target for ransomware attacks;
- The mitigation steps to take as soon as an entity suspects it's become a victim of a ransomware attack;
- Why more ransomware attacks are likely to eventually appear on the Department of Health and Human Services' Office for Civil Rights' "wall of shame" tally of major health data breaches as a result of OCR's recent release of new ransomware guidance.
Before founding The Marblehead Group, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its parent organization, CareGroup, as its CISO.