Erie County Medical Center in New York fell victim to a ransomware attack in April, leaving the hospital with the decision to pay the ransom and potentially recover their data or lose their encrypted files to a cybercriminal. The cyberattack, which took down over 6,000 computers had a ransom demand of $30,000 dollars (24 bitcoins valued at $1,215 each). ECMC chose not to pay the ransom, advice they were given by security experts and law enforcement. An article published by The Buffalo News explores the attack faced by ECMC and the cost and process of their recovery.
Although it may seem like paying the ransom would make the most sense in keeping costs as low as possible during a ransomware attack, that is not always the case. There is never a guarantee that the attacker will provide the infected organization with the encryption key they promised. If an encryption key is provided by the attacker, there is no guarantee it will truly remove the malicious software.
How much did the massive cyberattack cost ECMC?
Hospital officials estimate the incident cost them nearly $10 million dollars.
“About half of that amount is for computer hardware, software and assistance needed in the response. The other half represents a combination of increased expenses, such as for staff overtime pay, and lower revenues from the loss of business during the system down time.”
The hospital also plans to start spending between $250,000 and $400,000 each month to upgrade technology and further improve employee education on cybersecurity.
Fortunately for ECMC, they chose to increase their insurance coverage from $2 million to $10 million last November. According to the hospital’s chief executive officer Thomas Quatroche Jr., the coverage came as a result of recommendations made by the hospital’s general counsel, internal auditors and insurance brokers. Quatroche believes the hospital will be able to recover their losses that came from the ransomware attack through their insurance claim.
How did the ransomware infect ECMC?
“Officials believe a hacker or hackers used an automatic program that anti-virus software could not recognize to exploit a hospital web server accessible remotely that should have been configured differently to prevent an incursion. The hackers then applied “brute force” computing — trying millions of character combinations to identify a relatively easy default password to gain entrance into the hospital’s system. Once they had breached the perimeter, it’s believed the intruders then logged in and encrypted files in a way that made it more difficult to recover data.”
The cyberattack suffered by ECMC is just one of many wreaking havoc across the globe. Not only are cyberattacks present globally, but they are also increasing in numbers. Looking at the Internet Crime Report published by the Federal Bureau of Investigations for 2016, we can see that 298,728 complaints were filed last year. While this number may appear large, the FBI estimated that only 15 percent of the nation’s cybercrime was reported.
A study released by Symantec in April found that in a ransomware attack, 64% of American victims would pay the ransom compared to 34% internationally. The high number of ransomware victims willing to pay the ransom could account for the low percentage of individuals reporting cybercrime to the FBI.
The Symantec study also found that email is becoming a favorite method of attack for cybercriminals.
“Its review found that 1 in 131 emails contained a malicious link or attachment – the highest rate in five years. The review noted that business email phishing scams — in which criminals impersonate a company official in an attempt to get an employee, customer or vendor to transfer funds or sensitive information to the phisher — scammed more than $3 billion from businesses over the last three years.”
Why do cybercriminals target the health care industry?
To begin with, healthcare has many interconnected computer systems giving cybercriminals access to many different areas such as patient records and medical devices. In addition, the health care industry often falls short with in-house expertise resulting in weak security measures.
Education can make a difference
One of the best ways to prevent against a cyberattack is to increase employee awareness to the issues surrounding cybersecurity. Educating employees on how to spot a phishing email and how to respond quickly if an attack does occur is vital. Quatroche is encouraging other health care officials to train employees by using real life scenarios that way employees know how to react if an attack does occur.