Why Hancock Health Paid the Ransom

The conventional wisdom on ransomware is that you should never pay. In practice, though, healthcare organizations often don’t have time to wait for a resolution or restore their systems from backup, even if they have them.

“It’s not just loss of revenue. Patient care can be delayed, and that’s the scariest piece of it from a healthcare standpoint. The mission of the organization can be stopped abruptly, and we want to get to a resolution as quickly as possible,” Dustin Hutchison told Healthcare Analytics News™. Healthcare organizations end up paying the ransom more frequently than other types of businesses, he said.

Hutchison knows firsthand. He’s a partner at Pondurance, a cybersecurity firm that advised Indiana’s Hancock Health after they were hit with a SamSam attack earlier this year. He said the hospital called their incident response hotline at 3AM when the attack was detected, and his company got to work immediately.

Hancock did pay the ransom—about $47,000 worth of Bitcoin, reportedly—which Hutchison said was the hospital’s internal decision. It did have backups, but it chose to act as quickly as it could. And that may have been the right decision, it turns out.

“At the time the decision to pay the ransom was made it was believed that the backup files had not been directly affected,” Hancock Health CEO Steve Long wrote in a blog post. “Several days later it was learned that, though the electronic medical record backup files had not been touched, the core components of the backup files from many other systems had been purposefully and permanently corrupted by the hackers.”

The purported risk of paying the ransom is that by caving to the attackers, a company will demonstrate vulnerability and become subject to more attacks, but in Hutchison’s experience that’s uncommon.

“Historically, we have not seen that tag along additional payment,” Hutchison said. “The bad guys really do show good customer service, they don’t want to get the reputation of not unencrypting because then no one would pay.”

Even though SamSam attacks are known to be tailored and detonated specifically on a breached network, those behind them may be blind to certain aspects of the business they are attacking. The attackers in Hancock’s case ended up providing the hospital more unencryption keys than were needed, Landon Lewis, one of Pondurance’s founding partners, said.

Unfortunate as the situation may be, hospitals’ hands are often tied when it comes to paying the ransom. Both Lewis and Hutchison said that’s a business decision that the hospital will have to make after evaluating their situation. What’s important after that is making changes to try to ensure it does not happen again.

“For lack of a better term, ‘cyber hygiene’ is something that entities can practice, how you let 3^rd parties interconnect to your system is something I would focus on,” Lewis said. Healthcare groups might have multiple public-facing systems that contain access to critical information, and for those, multi-factor authentication should be considered. It’s also important to constantly take stock of all the entry points and users with access to the network.

“If you think about risk management not just for [HIPAA-protected information] but for the whole enterprise, and continually reevaluate potential exposure, it all goes hand in hand,” Hutchison added. “There is no silver bullet. It boils down to risk management on a proactive basis.”