Develop a Payment Strategy in Case of a Ransomware Attack
The primary question facing any hospital experiencing a ransomware attack is whether they should pay the ransom. This is an extremely difficult decision, and it’s best to think it through before an incident occurs, rather than in the heat of the moment.
On one hand, paying the ransom offers the possibility of a quick and easy resolution of the emergency. On the other, ransom payments present legal, ethical and operational issues that organizations must consider.
As hospitals wrestle with the question, they should seek legal guidance to ensure that they don’t run afoul of any laws or regulations. For example, the U.S. Treasury’s Office of Foreign Asset Control recently published guidance declaring that some ransomware payments may violate federal law. Navigating these regulations can be quite tricky, and legal expertise is definitely required.
From an ethical perspective, paying a ransom rewards wrongdoing and encourages future attacks. Healthcare administrators must weigh this generalized concern against the very real and imminent risk to patient safety during a ransomware attack.
Finally, there’s no guarantee that the attacker will deliver the decryption key required to end the attack after receiving the ransom payment. Most attackers do deliver the key, but organizations considering any payment should research the past habits of their attacker to the extent possible. Consulting threat intelligence reports may provide valuable insight.
Engage an Incident Response Firm
Ransomware attacks may be technically sophisticated, and organizations that quickly engage subject matter experts will likely experience better outcomes. These experts can provide information about similar attacks against other organizations, identify whether attempting to reverse the infection is feasible, and guide the hospital through the incident response process. The hospital and IT team may be experiencing their first ransomware incident, but these subject matter experts handle them every day.
It’s important to build a relationship with an incident response vendor before an attack occurs. Negotiating an agreement, completing the paperwork and arranging payment is time-consuming and will slow the deployment of expert assistance. Many incident response firms are willing to enter no-cost or low-cost retainers that get that paperwork out of the way before an incident occurs and then guarantee a rapid response when activated.
Purchase Cybersecurity Insurance to Protect Your Organization
Cybersecurity insurance policies were once exotic options used by only a handful of organizations. Now, they’re a common element of every large organization’s cybersecurity risk management strategy.
These policies primarily insure against the financial impact of ransomware and other cybersecurity threats, but they also provide access to expertise in incident response.
Once a policy is purchased, the insurance carrier’s interests are aligned with those of the hospital. Neither organization wants the hospital to experience a disruptive and costly cybersecurity incident, and both want to act as quickly as possible to contain the damage. For this reason, cybersecurity insurance providers may dispatch technical experts to help minimize the damage caused by any ransomware attack. In fact, having an incident response team on retainer may be a requirement of coverage for a cybersecurity insurance policy.
Insurance carriers recognize the significant financial risk posed by cybersecurity attacks and they aren’t willing to just issue policies without conducting their own due diligence. Hospitals considering purchasing a policy should expect the carrier to conduct a cybersecurity assessment prior to issuing the policy. It’s likely they will identify deficiencies and require that the organization remediate any serious issues before granting coverage.