As ransomware attacks on hospitals and health systems hit an all-time high in 2023, executives, legislators and patients alike are searching for a solution.
One proposed strategy to deter cyberattackers is to ban ransom payments. The logic is that if victims aren't allowed to pay ransom, hackers will no longer have an incentive to steal data, and ransomware attacks will decrease and, hopefully, disappear.
But is that a realistic goal?
Becker's reached out to health system chief information security officers for their thoughts, and the majority opinion was no: banning ransom payments will do nothing to prevent cyberattacks.
"I don't think banning payments will make much of a difference — we will just see them adjust their methods. We are already seeing threat actors shift to data destruction and extorting patients for payments," said Steven Ramirez, CISO at Reno, Nev.-based Renown Health.
The U.S. Treasury Department already bans ransom payments to entities under U.S. sanction — which has not deterred attacks, said Jack Kufahl, CISO at Ann Arbor-based Michigan Medicine. "Administrative and legislative activities should be focusing on the cause of the criminal activity, not the victims of it," he said. "Punishing the victims of crimes is another incremental move in the wrong direction."
Mr. Kufahl's sentiments reflect that of other influential groups. When HHS proposed fines that were intended to incentivize health systems to bolster their cybersecurity, the American Hospital Association dubbed the measure "counterproductive." By paying fines, the AHA argued, hospitals would detract from their own resources and accept the blame for attacks that they did not perpetrate.
"Ransomware threat actors aren't going to stop just because the government says 'don't pay,'" said Aaron Weismann, CISO at Radnor, Pa.-based Main Line Health. "They're very incentivized to monetize cybercrime. … They'll do that at scale with personal information and identities which are inherently valuable." Hence, banning ransom payments will do little but motivate hackers to find new ways of manipulating hospitals and health systems into making payments, like extorting victims. The idea of a ban is impractical, and won't benefit the entities it seeks to help, Mr. Weismann said.
If the government were to ban ransom payments, hackers would likely just shift targets, focusing on less staunchly regulated countries, said Anahi Santiago, CISO at Newark, Del.-based ChristianaCare. "Determining whether to ban ransomware payments is a challenging dilemma," she said. "Theoretically, banning ransomware payments can sap some of the power of threat actors and put a dent into this nefarious yet profitable industry. However, in industries such as healthcare, lives can literally be put at risk by the inability or refusal to submit to ransomware payment demands. While I am in no means endorsing that all industries pay, certain industries must consider scenarios that factor in the amount of time it takes to restore from backups."
Overall, the CISOs favor enhanced cybersecurity and prevention over a ban. "Security leaders must work with their business leaders to bake in resiliency, to believe that 'an ounce of prevention is worth a pound of the cure', and that you can prevent and contain or bounce back quickly," said Esmond Kane, CISO at Dallas-based Steward Health Care. If a health system can avoid dealing with hackers entirely because of their dedication to security, they are in a perfect spot.
"I am very much for creating safety nets that can be accompanied by drastic measures like prohibiting ransomware payments," Mr. Weismann said. "Without those safety nets, it's just naked risk exposure with no upside, which is not ideal risk management."