“We own your servers. We own your systems. We own your patients’ medical records.”
A hospital was taken down by a cyber-attack, where the ransom demanded peaked at 4,032 Bitcoins (around $40million today…). What was top management's first thought? Pay the ransom.
Sound familiar? It may do if you’re a ‘Grey’s Anatomy’ fan. This headline, although fictional, was inspired by real-life events and the Wannacry attack on the NHS and other healthcare organizations around the globe which affected 230,000 computers across 150 countries, leading to widespread disruption and panic.
This episode of Grey’s Anatomy not only exposes the reality of cyber-attacks to the public in general but exposed the critical implications of cyber-threats in hospitals; a risk that could, in theory, affect everyone.
Not another cyber-attack….
Cyber-attacks continue to dominate the front-page headlines and although we all understand what they are and how business continuity and resilience practitioners respond to them, one questions remains unanswered;
‘Should we pay the ransom?’
In this episode of the hit series Grey’s Anatomy, the COO of the hospital consults the FBI for support with the goal or retrieving the data. Although warned of the risks of paying a ransom, the COO eventually decides the ransom should be paid to protect the patient’s data and recover service within the hospital as quickly as possible. Whilst morality was applied to this situation, the question of risk still stands. If you pay the ransom, can you guarantee to get your data back? Will the data be safe? It’s unlikely… Cyber-attackers are criminals after-all…
What can hospitals do to avoid this situation?
Instead of waiting until the disaster occurs and then relying on morality or government support to make a decision for you, hospitals (and organizations alike) must ensure that they are protected from the threat of cyber-attack. You can’t always stop it from happening, but you can plan and mitigate against catastrophic impacts.
- Backup your data so you can always restore lost data.
- Use servers and ICT systems with a reasonable safe separation distance.
- Keep software up to date with security patches.
- Train staff to work without access to ICT facilities.
Whilst these are just some mitigation solutions, they won’t always be feasible or even possible (especially in health care where data is constantly changing), it’s vital that everyone considers what they can do before the disruption happens, not during or after.