Paubox News | HIPAA Compliance, Email Security and Healthcare Tech

Refusal to pay is the newest strategy to combat ransom attacks

Written by Abby Grifno | July 07, 2023

Over the last few months, Paubox has covered many ransom attacks affecting hospitals. As we've covered the attacks in Illinois, California, Tennessee, and others, a trend in cybersecurity strategy has emerged.  

 

What's new

According to a recent report on Q2 trends, ransomware is a booming business. The report analyzed ransomware attacks worldwide and found a staggering 67% increase in cases between Q1 and Q2. 

While we knew that cyberattacks had increased in 2022 and continue to target smaller clinics, the skyrocketing number of attacks is forcing healthcare companies to contemplate new strategies in an attempt to ward away future attacks. 

Cybersecurity experts are advising organizations to not pay ransoms, as paying provides monetary support for malicious organizations and doesn't necessarily prevent information from being sold. 

 

Why it matters

According to the American Hospital Association (AHA), ransomware attacks place significant pressure on healthcare systems that are still recovering financially from the pandemic. 

Ransomware attacks are also increasingly state-sponsored, meaning paying a ransom could inadvertently support a program with ill motivations toward the US or others. 

Outside of this, attacks can be more harmful to hospitals than other industries. As sophistication improves, some attacks target specific medical devices and can prevent vital processes from being carried out. Hospitals feel the impact, and so do patients who may not be able to get appointments or treatments until the situation is resolved. 

For healthcare companies that do pay, it's a hefty bill and can make organizations vulnerable to more attacks in the future.  

 

What they're saying

John Riggi, Senior Advisor for Cybersecurity and Risk at the AHA, believes the "situation is analogous to 9/11" in the necessity of new infrastructure and strategy to fight against ransomware. 

Patterson Cake, a consultant with Avertium, a cybersecurity firm, advised against paying ransoms to the Chief Healthcare Executive, but notes that there are instances where it may be the right decision. "Number one, I hate to reward the villains," Cake says. However, he doesn't take a purely definitive stance, "I would never say never…Leave it as a potential option when it is legal and feasible."

Cake suggests that healthcare companies put money into updating their defenses instead, but of course, this is a difficult ask after the attack has occurred. 

Riggi says that when healthcare organizations decide to pay, it's "based on patient safety issues" and not just economics. He adds, "It's the equivalent of having a digital gun pointed at your head and at your patients." Still, experts say not to pay whenever possible, and many hospitals are taking note. "You're incentivizing them to continue to attack… You're funding a criminal organization, which may have actual nation-state sponsorship and backing," says Riggi. 

 

What's next

For healthcare companies like Murfreesboro Medical Clinic, it's unclear how their strategy of not paying will play out. They've already dealt with some of the harshest repercussions, like closing down certain offices for several days, but it's unclear what could happen if their data is sold, as ransomgroup, BianLian, has threatened. 

Read more: Tennessee clinic confirms over 500,000 affected by ransomware attack. 

For other organizations, like Illinois' St. Margaret's Health, the effect of ransomware has been too challenging to recover from

As targeted companies continue to reckon with unprecedented attacks, it will take time to see if the no-pay trend will decrease the attacks or result in more data sold for nefarious purposes. 

Related: HIPAA Compliant Email: The Definitive Guide.