Why Some Entities Pay Extortionists to Unlock Patient DataSecurity Expert Ron Pelletier Discusses the Decision to Pay, or Not to Pay a Ransom
Law enforcement officials strongly advise against paying ransoms to extortionists after a ransomware attack. Nevertheless, some healthcare entities choose to pay ransoms to unlock encrypted data after carefully weighing many factors, says security expert Ron Pelletier.
"If they decide to pay, there are factors involved that are beyond 'we're not able to recover'. It might be to facilitate the timeliness of recovery," says Pelletier, a partner at the security consultancy Pondurance.
Among the healthcare entities that have admitted paying ransoms to unlock its data is Indiana-based Hancock Health, a healthcare system that includes Hancock Regional Hospital and more than 20 other healthcare facilities.
In January, Hancock said it paid four bitcoins, valued at the time at $55,000, to unlock its systems following a ransomware attack on Jan. 11. Hancock Health hired Pondurance "as the incident was occurring to help," Pelletier says.
To Pay, or Not to Pay
In weighing the decision to pay or not to pay a ransom, some healthcare entities consider "if we pay this, then there's some assurance we're going to get our [decryption] keys, and we'll be back in business sooner," Pelletier says in an interview with Information Security Media Group.
"There's a lot of risk that goes into it. It's certainly not a good or bad decision to pay; it depends on what's right for the organization, based on the situation they're in, based on the conditions they're facing ... and their risk tolerance, as well."
Pelletier says there likely are far more organizations paying ransoms than has been reported.
"The dollar amounts that these bad actors are putting forward for the ransoms, some think it's a very manageable fee - and a lot of these bad actors have the reputation on making good of giving the keys to facilitate the decryption upon receiving their payment, usually in bitcoin," he says.
" So, knowing that, a hospital may think it's the quickest course of action," particularly if it has not tested its ability to back up data and systems, he says.
In the interview (see audio link below photo), Pelletier also discusses:
- Other factors for healthcare entities to consider when faced with a ransomware attack;
- How incident response plans need to change based on the kind of breach or cyberattack an organization is facing;
- Why some healthcare entities are increasingly potential victims of cryptocurrency mining attacks.
Pelletier is a partner with Pondurance, LLC, an information security services provider based in Indianapolis. Before establishing Pondurance in 2008, Pelletier was a senior manager with Ernst & Young's technology risk practice. Pelletier also served in the U.S. Army and Indiana's Army National Guard, where his roles included chief of operations and risk management and Computer Emergency Response Team leader.