Hospital Pays Ransom in Exchange for Promised Data DestructionDecision to Pay Highlights Healthcare Sector Challenges
The recent decision by a Massachusetts-based hospital to pay a ransom in exchange for promises by the attackers to destroy stolen data spotlights the difficult choices and pressure many healthcare entities are facing in the wake of cyberattacks.
In a May 28 data breach notice posted on its website, Attleboro, Massachusetts-based Sturdy Memorial Hospital says that on Feb. 9, it identified a security incident that disrupted the operations of "some" of its IT systems.
"Our systems were secured later that same day," the hospital notes.
But it adds, "In exchange for a ransom payment, we obtained assurances that the information acquired would not be further distributed and that it had been destroyed."
When ransomware attacks seriously impede the ability of hospitals and medical practices to provide care to patients, they need to make the difficult choice of whether or not to pay.
Some experts are adamantly against entities paying cybercriminals. "Every time you pay a ransom, you are essentially the banker for the next attack," says Caleb Barlow, CEO of security and privacy consultancy CynergisTek. "The only way we will stop ransomware is to change the economics for the bad guys and stop paying.”
The data breach Sturdy experienced affected tens of thousands of patients.
The hospital reported the incident to law enforcement officials and regulators. The Department of Health and Human Services' HIPAA Breach Reporting Tool website listing breaches affecting 500 or more individuals shows the hospital reported the hacking incident on May 28 as having affected the protected health information of nearly 57,400 individuals.
In its notification statement, the hospital says its analysis of the incident determined that the stolen files contained information belonging to Sturdy patients, as well as some patients of several local healthcare providers that Sturdy has previously partnered with for coordination of care, the hospital says.
Sturdy says its electronic health record system was not involved in the incident.
Potentially compromised healthcare information included patients' medical history information, treatment or diagnosis information, procedure or diagnosis codes, prescription information, provider names, medical record numbers, Medicare/Medicaid numbers, health insurance information, and treatment cost information, the hospital says.
Other affected information includes names, address and phone number, dates of birth, Social Security numbers, driver’s license numbers and other government-issued identification numbers.
Potentially compromised financial information includes account numbers, routing numbers and/or bank names, credit card numbers and security codes, and Medicare Health Insurance Claim numbers, Sturdy says.
The hospital says in a statement to Information Security Media Group: "We paid a ransom to obtain assurances that the information acquired without authorization would not be further distributed and had been destroyed."
But Sturdy Memorial also concedes: "We can never know for certain if the criminal ransomware attackers will fulfill their promises. However, to date, we are not aware of any Sturdy data that was published by the attackers."
In the wake of the incident, Sturdy Memorial tells ISMG that is has "implemented additional safeguards and technical security measures to further protect and monitor our systems to help prevent future occurrences of this nature."
The hospital declined ISMG's request for additional details about the incident, including the amount of the ransom payment.
Threat analyst Brett Callow of the security firm Emsisoft notes that it is unclear from what Sturdy has disclosed publicly whether the hospital paid to obtain a decryptor or was able to recover using backups or paid to only prevent the release of exfiltrated data.
"Paying to prevent the release of data makes little sense but, despite this, it’s exactly what numerous organizations have done," Callow says.
"The 'assurances' in cases like this are nothing more than 'pinkie promises' from untrustworthy bad faith actors and, unsurprisingly, there is ample evidence that the actors do not necessarily abide by those pinkie promises. Why would they?"
Callow says a mandatory cyber incident reporting framework is needed, and not only for ransom payments. "At the moment, there is far too little insight into the landscape with only a minority of incidents being disclosed or reported to law enforcement," he says.
"As a result, it's not even clear how many incidents there are, let alone why they happen, what the impact is and whether a ransom was paid. And this information is critical."
Pay and Tell?
In the meantime, does Sturdy's public announcement that it paid a ransom help or hurt?
Mike Hamilton, former CISO of Seattle, Washington, and current CISO of security firm Critical Insight, says hospitals admitting they paid a ransom to avoid disruptions to patient care or to hopefully block the release of sensitive health information are "viewed positively by patients, and negatively by pundits that do not operate health sector facilities."
There was likely significant deliberation about this internally, with Study's legal and public communication teams at the table, he says.
"The perception created by the announcement is that the hospital's first priority is patient care, and if paying a ransom - with law enforcement and the insurance provider in the decision loop - is the quickest route back to full operational capacity, the hospital is willing to do that. Full transparency is also appreciated, and may be a lesson learned from the situational opacity from other victim organizations."
Hamilton warns, however, that "criminals cannot be trusted, and it's naive to think that the records purloined will not be monetized in some other way. Again though, given that the primary focus is patient care and the situation required immediate resolution it’s not clear that there was any other choice than to trust that the actors will keep their word."
Hamilton notes that the anonymity provided by cryptocurrency transactions is fueling these crimes. "Regulate cryptocurrency," he says.
Also, the U.S. government can take other steps that "in aggregate would break the business model of the ransomware operators, along with making them think twice about choosing targets in the U.S.," he adds.
That includes the U.S. government putting "ransomware gangs on notice. We're not treating this as crime any longer. We're beginning to call it terrorism, and we still operate a perfectly usable criminal housing facility at Guantanamo Bay," he says.
The Department of Justice is reportedly elevating investigations of ransomware attacks to a similar priority as terrorism in the wake of the Colonial Pipeline hack and mounting damage caused by cyber criminals.
On June 3, U.S. Deputy Attorney General Lisa Monaco issued a memo to all federal prosecutors detailing "new requirements relating to ransomware or digital extortion attacks and investigations and cases with a nexus to ransomware and digital extortion" (see: White House Urges Businesses: Improve Ransomware Defenses.)
Under her guidance, the release of which was first reported by Reuters notes that the ransomware attack that disrupted privately run Colonial Pipeline underscores "the growing threat" posed by such attacks to the U.S., "and the destructive and devastating consequences ransomware attacks can have on critical infrastructure."
While federal officials tackle strategies for combating rising cyberthreats facing the nation, healthcare sector entities must take proactive steps to better prepare for such assaults, some experts note.
"Having a strong cybersecurity infrastructure, performing validation that the systems and tools in place actually work, doing robust incident response exercises, etc., can help ensure the organization is not the victim of a ransomware attack in the first place," says regulatory attorney Marti Arvin of CynergisTek. "Thus, decisions about paying ransoms are "a moot point," she says.