LAS VEGAS – The FBI and Department of Homeland Security have always recommended against paying up when cybercriminals demand exorbitant bitcoin deposits to decrypt files seized by ransomware.
But in a healthcare setting, where continuity is critical and often a matter of life and death, that advice is not so cut-and-dried.
During a HIMSS21 keynote on Tuesday morning, a group of security experts debated a crucial question that more and more healthcare organizations have been asking themselves recently: to pay, or not to pay?
The panel – retired Admiral Michael S. Rogers, former director of the National Security Agency and former Commander of the U.S. Cyber Command; Alex Stamos, founding partner at Krebs Stamos Group and former security chief for Facebook and Yahoo; Michael Coates, cofounder and CEO of Altitude Networks and former CISO at Twitter; Israeli cybersecurity analyst, author and researcher Keren Elazari; and Jigar Kadakia, chief information security and privacy officer at Mass General Brigham – all had different opinions on the topic.
“There’s no broad legal prohibition in the U.S. against a company paying ransom, with one notable exception,” Adm. Rogers noted. “It is illegal to pay ransom to a group, individual, nation state or entity that’s been sanctioned, either by the U.S., the United Nations or any other international body.”
But whether you pay “should be a different conversation than should you be talking to these individuals,” Rogers added.
“I always say you should be speaking to the criminals, for two reasons: one, it can give you time – time to help your defenses and help your organization respond – and two, it can sometimes be a source of insight into what this actor has done.”
While the former Cyber Command chief noted that his “personal and professional preference has always been not to pay,” he did acknowledge that there are “some circumstances where some organizations think it’s the appropriate thing to do. I think it’s appropriate when we’re talking about life or death, and that’s certainly a challenge within the healthcare arena.”
His advice? “Rather than having a concrete ‘always’ or ‘never,’ think about the criteria you will use to make that decision, should you find yourself in a ransomware crisis.”
Stamos took a different view, arguing that ransomware payments should be made illegal in most cases.
“The great evil genius of ransomware is that, in the micro picture, if you are a victim, and you’ve come in on Monday morning, and your exchange servers are locked up, and none of your systems are working, and people have no idea what the hell they’re doing that day, and you’ve got a ransom alert saying, ‘We’ve got all your data,’ It almost always makes logical sense to pay,” he explained.
“For all your stakeholders, your employees, your shareholders – in this case your patients – it probably makes sense to pay,” he said.
“And that’s the genius of it: All of the incentives are lined up that it’s probably cheaper to pay a couple million dollars. Because the moment you call a DFIR [digital forensics and incident response] company and outside counsel, you’re at seven figures in billing already. So it’s cheaper to pay.”
That’s why “we need to outlaw ransom payments,” he said.
“Generally today, companies do not face legal sanction for this. You have the FBI saying please don’t pay. But they have no way to really enforce that.’ And in the moment you’re not going to take that advice.”
That’s where the Office of Foreign Assets Control should come in, said Stamos, referring to the financial intelligence and enforcement arm of the U.S. Treasury Department, which enforces trade sanctions to support U.S. national security.
“What I would like to see is I’d like to see the top 10, top 20 ransomware teams all designated as OFAC actors,” he said. “While that technically would not outlaw all ransom payments, it practically would because you would have no idea if you’re operating with one of those in that capacity.
“That’s the only way we can disrupt the economic balance here, because the economics are just working out way too well on the attackers’ side.”
Elazari agreed that “it’s the perfect crime, ransomware. ‘We steal your access to your information and, if you don’t pay us, we’re going to give your information to everyone else.’ And I don’t think that’s going to go away anytime soon. It’s very successful, and they’re just getting started. They’re evolving, they’re sophisticated, they change their methods all the time.”
Her advice to healthcare organizations that find themselves in hackers’ crosshairs: “If you’re considering paying, definitely negotiate. From what I’ve seen, there’s a lot of times where negotiating can half the price or bring it down to a manageable amount.
At the same time, Stamos joked, “it’s amazing how bad the ransomware people are at negotiating. They’ll throw out a Dr. Evil number like $50 million dollars.”
“We’ll give you $2 million. ‘OK,'” said Elazari with a laugh.
“In the negotiating process, you learn more. You learn about their motivations, you learn maybe details that could assist in investigation and enforcement.”
“Certainly, I think we have to be more prepared,” she added. “Don’t do it alone. That’s my message. Find out who you are and trust to partner with. You need to know who your Ghostbusters are, so you know who you’re gonna call when something happens.”
“One of the challenges here is that some of the skills that are needed are outside the realm of what most organizations have within them,” said Rogers. “Most organizations do not have folks who know about bitcoin wallets or are familiar with the negotiation piece.
‘One of the things you need to think about in advance is what are the skills, what are the capabilities to do with the ransomware that they have to get from the outside?” he said.
Hospitals and health systems are in a unique and challenging position when it comes to ransomware, Coates acknowledged.
“The goal of your organization is to protect lives and humans. And we need to boil it down to that question. It’s continuity. You need to get systems up and running. You need to save lives. When you find yourself in that situation, yes, it may make sense to pay the ransom.”
His advice: “If you’re not in that situation now, use that breathing room to figure out a plan of attack beforehand.”
An inside look at the innovation, education, technology, networking and key events at the HIMSS21 Global Conference & Exhibition in Las Vegas.