Paying Ransom Is a Loser’s Game
By Greg Freeman
Healthcare organizations have paid ransom to regain access to their computer systems, but that is a bad move, says Israel Barak, chief information security officer with Cybereason, a cybersecurity company headquartered in Boston.
Some hospitals and health systems even gamble that they will never be hit with ransomware and spend little on cybersecurity — accepting that if they are hit, they will have to pay the ransom to recover, Barak says. Recently, Cybereason surveyed organizations that paid ransom, and found that it was not successful in the long run.
“An interesting result of the survey is that it really doesn’t pay to pay. We’ve seen that 80% of organizations that paid the ransom were hit a second time, and even a third time,” Barak says. “Sixty percent of them said that the second attack came in less than a month after the first attack. Sixty-seven percent reported that the threat actors demanded a higher ransom amount that second time. Some were even hit a fourth time.”
Those numbers can be used to show health leaders the worst-case scenario is not simply paying the ransom and moving on, Barak says. That only emboldens the criminals and confirms there is no security to stop them from returning. Preventing the attack must be a priority.
“We still need to educate from a risk management perspective,” Barak says. “We’re still at a point where we need to educate a lot of our peers that even though it sounds like paying ransom might make sense, it is actually a losing strategy.”
Healthcare organizations have paid ransom to regain access to their computer systems, but that is a bad move, experts say.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.