Long-Term vs. Short-Term: Deciding Whether to Pay Ransom for a Hospital

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with

Already have an account? Sign In »

2 hours 8 minutes
Video Transcription
we just mentioned hospitals. Another cereal.
You are the chief operating officer in a large hospital in Washington, D C. Right. Our hometown.
Your hospitals just been attacked by Ransomware and your staff has no access to patient data or any devices on the network.
Patient care is being hindered with every moment that passes, including 300 patients in critical care.
Um, lives are on the line here. Um, the tigers are demanding about a 1,000,000 bucks in exchange for the decryption key to pay the ransom. You are tugging on heartstrings right now. So this is the justice versus mercy more than anything else like this, these air riel
people that could die if you don't pay this right, Right. 300 people that read our minds are in critical directly.
Can you put a cost on individual life let alone 300 lives better in critical care
at the hospital to seek treatment. And now they suffered a cyber attack.
I think in this situation again, you you have to pay
because it's one is a hospital too. Is critical care, right? Is 300 patients,
um you know, looking at the legal ramifications of you not paying. I think the death of the legal counsel is involved in this one. Seeing who's liable. What was this breach?
Because of negligence or improper controls that the hospital has implemented? Sure, that actually comes into account in a lot of situations nowadays, when the post mortem happens like her, is it traced? Could this breach have been prevented? If proper?
You know, compensating controls of mitigating controls were in place. So it's a hospital. So hip is involved? Yes. So once hippie gets involved,
they're also gonna look and see
what controls were in place. What a negligent,
if they were,
it is definitely
cheaper. Are a better business decision to pay at that point? Because the hip if isa coming. But just looking at the ethical dilemma These are 300
seemingly innocent individuals who were in the hospital seeking various amounts to care whether it be surgery, emergency care, right. So
they're unfortunate.
Demise should not be because of a cyber attack and a decision to not pay. Yeah, a $1,000,000 right? It was $100 million.
Maybe it's a different scenario back to what you said before. That's the hospital. Have $100 million that will these, you know, what was the cyber insurance look like? Um,
also, can they be transferred to other hospitals and receive similar care if the money is not available? So I think it's a It's a lot of things that go into that decision tree. They're probably some patients that are more critical than others.
So the luxury of time is probably not there for that.
But they are potentially other options. We are in Washington, D. C, their many hospitals. But sure, it just depends on the criticality of the patient is somebody's in the O r heaven, the heart transplant
and the hospital goes dark. That that that's a problem. And honestly, paying $2 million at that point may not save
that particular individuals.
And you don't even know if this is gonna work right? You know, you really like it. And maybe the data is still messed up and you can't miss it like, you know, like so you break up, you bring up a good point with that when they supply the keys often is not
no turn key so that, you know, you give me the encryption keys. Now It's a process to decrypt what's been encrypted. So there is time that goes along with that. So,
you know, pain
may unlock some of the critical systems, but not the data. Right? May get you back online, but, you know, if you have local database service that have been encrypted and you have terabytes or petabytes of data, I can personally tell you that in decryption process will not be Ah, short one,
right? No, it takes forever. And, um
and yeah, like it's a who knows if it's gonna work, right? You know where the paper records available from the primary care physician. So it is a lot that will go into that went and
I hope that never happens. But in the, you know, the climate that we're in with the attacks becoming more prevalent, there was actually a study
that was done that looked at,
um, survival rates specifically for heart patients
receiving care at a hospital post breach. So, after the eradication on remediation, efforts have been done and there've been new cyber security controls implemented, and this study showed that there was a uptick in deaths
as their thes controls were put in the place because
the quality of care had been affected in the amount of time it took providers toe access, critical system. And it was only a matter of minutes.
But in critical heart cases, that's all you have are minutes and seconds. Yeah, to potentially, you know, log into a system access patient records are other, you know, you know, data that you may need to begin treatment, right? So it is a tough one. So even after
trying to prevent further attacks, it's affecting the quality of care,
you know, immediately. Yeah. So you put you put more security in place, you have a better control. It's gonna stop that those ransom demands from coming in.
But you're costing those minutes that actually cost people's lives. Right? So you are making that decision. If you if you put that control in place or not, right, you're really right. You're You're
saying that like, this is the value of a human life, right? Right. And so yeah, E What? That's why we have these the this framework, right? You have to consider what that value is for you.
Um, and also all the all the stakeholders and all the all the all the information that you can get,
right, Right. So you brought up multiple examples of decisions out there that might have not been the best, right, and more importantly, not the most thought through. So the main point is you got to think through these decisions. You have to debate it.
You have to consider all angles. Then you have to make a call. You have to make it look like you have to make a call. And if you don't make a call, then
everyone loses. Everything is exactly right. And when we started to see this, this either proliferation of ransomware attacks
and this was probably a couple of years ago. You know, I actually written a blawg about, you know, making ah proper business decision, which was not too popular with some of my colleagues and peers at the time. But,
you know, we fast forward two years and, you know, going back to the FBI actually changed in this position all to pay versus not to pay.
You know, every business is different.
Due diligence now includes, you know, resiliency around when you when you're injuring entering into agreements with, you know, new Sassa cloud providers. The question is now really around. If if I'm gonna put all of my business, you know eggs in your basket,
how are you going to assure me that
one? I could get my eggs back here when I need them, you won't break my eggs. Sure, somebody's not going to take my eggs, and I have access to my eggs regardless of what's going on, you know, So resiliency is
really was key
nowadays, especially when you're looking at Clouds, Service's and providers because everybody's dumping this stuff in the cloud. But is you really have to do a certain level of due diligence because it's still somebody else's computer. You want to make sure that they had taken care of your baby as well as you would take your average yourself. Of course,
yeah, and I think that's way both have Children's ready. We know exactly what that that's like when you dropped that get off the day's care center or something like that. You're looking around and trying to
after the test. Clearly, other kids were around there. Absolutely. That and that is a very good analogy. I have to borrow that one, but yeah, It's like evaluating. Take here, You know, you're not gonna leave,
You know, you're you're here today. Care that looks sketchy, or the providers, uh, you know, they care provided those out smoking a cigar cigarette, and in the in the facility, you might.
I'm not doing that looks. Why's that kid crying? What's going on there like you see 100 kids and, like two people, two adults. It's like, Yeah, that's probably gonna work out too well, absolutely.
Up Next
Ethical Leadership

In this ethical leadership training is taught by Cybrary’s own Leif Jackson. We will give you a framework on how to make ethical decisions from a leadership perspective - delving into the common use cases and rationale behind modern day professional dilemmas.

Instructed By