Jennifer LaGrassa reports:
For the first time, top leadership from the five southwestern Ontario hospitals hit by a ransomware attack answered questions from the media — acknowledging the significant impact the incident has had on care, as well as the large amount of stolen data.
During the roughly 50-minute meeting on Friday, each hospital CEO said their facility has been hard hit by the Oct. 23 attack, but recovery is ongoing and they’re getting by with the hard work of staff. With systems down and hospitals unable to access critical information, thousands of patient appointments have been cancelled across the five hospitals, creating backlogs of varying lengths at some of the facilities.
Read their updates on CBC to get a more detailed description of the impact on each hospital or system.
As a result of this incident, Aaron Mahoney reports:
Concerns shared with the CEO’s by experts in situations like these is why they decided against paying the ransom, but Musyj says they’re looking for action.
“What we do hope is for governments to mandate that no ransom payment position. This was recently endorsed by Canada, and 49 other countries, as part of the International Counter Ransomware Initiative. Paying ransom only perpetuates this issue from reoccurring to others, and feeds this monster.”
Read more at iheartradio.ca. If the thinking is that criminals will be less likely to attack if the victims are prohibited from paying, I’m not sure how much of a deterrent that will be. It may persuade some threat actors to turn to a different sector or victim, but others may decide to just continue as they have been, thinking that the victims will still pay them and just not disclose the payment — or they will start attempting to directly extort patients.
The issue of whether to pay ransom continues to be a thorny one, with most governments and experts advising against paying it, while many victims feel they have no choice but to pay. In related coverage, Jason Vermes of CBC reports:
When the town of St. Marys, Ont., fell victim to a cyberattack last year, lawyers advised the municipality to pay a ransom of $290,000 in cryptocurrency.
The decision was made after an analysis by firms specializing in cybersecurity. Al Strathdee, mayor of the southwestern Ontario town of about 7,000 residents, said the potential risk to people’s data was too high not to pay up.
“We could not be certain that there wouldn’t be information leaked that would be damaging someone’s reputation or something,” he told Spark host Nora Young.
Read more at CBC to read some perspectives on why to pay — or not pay — ransom demands. St. Mary’s commented on their experience:
Strathdee of St. Marys said support from governments and law enforcement was limited, and collaboration is essential. He said governments should work together to better support smaller municipalities and organizations from cyberattacks.
“It was like a smash and grab, and there was nobody there to jump in,” he said of his town’s ransomware experience.
“The cavalry didn’t come, and the cavalry still isn’t there.”
Their quote reminded me of something I recently read and shared with a young child with confidence issues:
They whispered to her, “You can’t withstand the storm.”
She whispered back, “I am the storm.”
We have left hospitals, small businesses, school districts, and local governments to maintain their own cavalries, which is unrealistic if we are going to urge them not to pay ransom, or actually prohibit them from paying ransom.
Whether it’s local school districts, local SMBs, or local governments, wouldn’t it make sense to have them feed into a regional centralized system that has the security and personnel to try to prevent breaches and to react if there is a breach? Of course, five southwestern Ontario hospitals were already doing that by funding TransForm, and from a criminal’s perspective, hitting a vendor or third party gives them tons of victims, so a supply chain or vendor attack is lucrative.
But the reality remains that smaller entities and governments really can’t withstand the storm and need help before and after any attack.
The following comment was submitted via email to DataBreaches from the Daixin Team. Unlike some comments submitted by others claiming to be Daixin Team, this comment really is from Daixin Team:
1. Like we said – the cost of rebuilding and repairing the aftermath of the attack will exceed what they could have paid us by several times.
That’s not taking into account that patients are suffering.
2. The group has always tried not to encrypt patient life support systems (devices).
These systems are usually the most vulnerable (old versions of OS software that cannot be updated).
But on the other hand – payment is guaranteed when people are on the verge of death.
Is it possible that a complete cancellation of payments would have the opposite effect?
This is just speculation for now….
It’s a classic legal question:
If the death penalty is introduced for rape, will there be fewer rapes? No, there will be rape and murder of victims.