To pay or to not pay for stolen data
by Kapua Iao
Here’s a direct question: Should you pay a ransom to get stolen data back? To pay or to not pay for stolen data is a conflict many organizations face.
Within the Paubox blog, we have talked at length about ransomware but have yet to explore this question specifically. But this query is pertinent today, especially for healthcare covered entities (CEs) working with sensitive protected health information (PHI).
The healthcare industry remains one of the most heavily targeted industries for cybercrime. And many hackers believe most CEs will pay to retrieve stolen PHI and/or to get back into their systems. Especially during a health crisis.
Let’s explore the issue of paying for stolen data after a ransomware attack and how CEs should focus on prevention and protection first.
What is ransomware?
Ransomware is malware (or malicious software) used to deny a victim access to a system until a ransom is paid.
Victims typically download malware through phishing emails that can include malicious attachments or fraudulent links. Once a victim opens or clicks on the malware, hackers have access to a system.
For ransomware, a hacker typically encrypts data and then demands a ransom. Over the past year, however, there has been a growth in exfiltration (where a hacker steals data before encryption).
A breach is frustrating but the costs (and problems) that develop from a ransomware attack can be detrimental.
Such damages include unrecoverable data, upset patients, shut down services (including during emergencies), damaged reputation, fees related to closures or cybersecurity changes, possible investigation by the U.S. Department of Health & Human Services (HHS) Office for Civil Rights, possible HIPAA violations, and of course, the ransom payment.
RELATED: HIPAA Stands For . . .
And exfiltration adds even more complications with the possibility of publicly exposed PHI.
Accordingly, ransomware is the biggest threat to email security today.
The costs of both refusing to pay and paying a ransom can be high depending on the type of ransomware, the threat actor, and the CE itself.
To pay or to not pay after a ransomware attack
There may be benefits to paying a ransom, but unfortunately, the benefits are not always guaranteed.
|Possible Benefits||Possible Problems|
|Decryption key provided||Time-consuming negotiations|
|Data deleted by hackers||Released data (before or after ransom paid)|
|Shorter data recovery time||Fake decryption key provided|
|Traded, sold, or held data|
|Demand for more money|
|Word spread about willingness to pay|
In 2019, Hackensack Meridian Health paid a ransom for access to its stolen PHI. Shortly thereafter, a spokesperson stated, “We believe it’s our obligation to protect our communities’ access to health care.”
And this year, Champaign-Urbana Public Health District was forced to pay $350,000 for access into its system. The district met the demands because it wanted a shorter recovery time. Furthermore, its cyber insurance could cover most of the ransom.
In both cases, no issues seemed to arise after payment, but this isn’t always the case.
For example, Kansas Heart Hospital was hit in 2016, paid a ransom, and then was ordered to pay more.
And recent research suggests victims often see exfiltrated data published if kept or sold by the cyberattackers:
- Sodinokibi: re-extorted weeks later
- Maze/Sekhmet/Egregor: posted accidentally or willfully before a theft was known
- Netwalker: posted after organizations paid
- Mespinoza: posted after organizations paid
- Conti: used fake files to show proof of deletion
In other words, paying a ransom does not always guarantee security.
So should I pay to get stolen data back?
A recent joint alert—between HHS, the Federal Bureau of Investigation, and the Cybersecurity and Infrastructure Security Agency—does not recommend paying ransoms:
Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
But such statements, while emphatic, are not always helpful on their own. Each CE should also contemplate five questions when considering to pay or to not pay:
- Can you legally pay?
- Does paying solve the immediate problem?
- Does paying solve the longer-term problem (for you)?
- Does paying solve the longer-term problem (for everyone)?
- Is paying “cheaper” than the alternative?
Paying the ransom may solve immediate problems and may be a cheaper alternative. But in the long term, security is not guaranteed. This is why paying a ransom is not a long-term solution.
Avoid data-stealing with strong cybersecurity
In the early days, ransomware victims could ignore a breach if they had adequate backup. But new technologies, new ways for people to connect, and new ways for hackers to attack, means more attention must be placed on prevention and protection.
RELATED: Email Archiving and HIPAA Compliance
For a CE, this means utilizing HIPAA compliant email to meet HIPAA standards of email security. The HIPAA Privacy Rule establishes how PHI can be disclosed while the Security Rule describes guidelines for protecting ePHI (electronic PHI).
RELATED: FACT SHEET: Ransomware and HIPAA
Under HIPAA, a CE’s cybersecurity program should guard, detect, and help record malware. It should also manage data backup and recovery.
This means using solid email security such as Paubox Email Suite Plus which provides robust inbound security tools that stop threats before reaching a user’s inbox.
To pay or not to pay is a tough question, one that no CE wants to face. This is why CEs must focus on prevention strategies before ransomware wreaks havoc.