YOU’VE BEEN HACKED. NOW WHAT? Health care companies are retaining help — often from Silicon Valley — to manage ransomware attacks.
The debilitating breaches at Change Healthcare, owned by UnitedHealth Group, in February and Ascension last month come as the Cybersecurity and Infrastructure Security Agency warns of a specific ransomware service targeting health care organizations — and have led cybersecurity experts to advise the sector on reducing risk.
UnitedHealth Group and Ascension hired cybersecurity firms — Mandiant, a subsidiary of Google; Palo Alto Networks’ Unit 42; and CYPFER — after the breaches. The ransomware experts declined to comment on their roles in negotiating for the companies. But Pulse spoke with ransom negotiators and cybersecurity experts about what happens when they’re called in to negotiate on behalf of a health care company.
The comments from the professionals Politico spoke to is exactly what the government doesn’t encourage victims to do — pay:
Paying the ransom is usually the only way to secure stolen information and restore access to encrypted systems, according to Minder and Bailey. Ransomware negotiators communicate with bad actors to hammer out how much they’re willing to pay.
“The data they stole is so highly sensitive and confidential that you’re willing to pay the ransom in hope that they’ll give it back and not destroy it or publish it,” Bailey said.
UnitedHealth Group CEO Andrew Witty told Congress earlier this month that the company paid a $22 million ransom to protect stolen patient data.
“Even the organizations that have great backup strategies end up having to pay because the restoration process would take so much time,” Minder said. “It is so complicated, and when you’re talking about patient well-being, that puts an additional pressure on it. They can’t wait to see if their backup strategy is going to work.”
Politico’s article does not remind people that the firms they spoke to make money from negotiating ransoms. And it does not discuss the alternative: having a usable backup that can be used to restore. Or all the reports that even decryptors do not result in all data being decrypted and restored quickly. It’s a shame Politico didn’t at least mention all the countervailing reports and recommendations.