Should healthcare leaders pay up when ransomware hits?

In late February, UnitedHealth Group (UHG) became the latest victim of a ransomware attack as a group of hackers known as BlackCat or ALPHV launched a successful hit against Change Healthcare, a UHG subsidiary that processes 15 billion financial and administrative transactions each year and touches nearly one-third of all patient data in the United States. 

Some hospitals, clinics, and pharmacies have claimed significant delays in processing prescriptions and payments due to the attack, leading to cash flow blockages and serious concerns about their ability to provide timely care – or even make their payrolls. And while CMS has quickly offered flexibilities to payers and providers in attempt to keep the healthcare system moving, the unprecedented nature of the attack has major implications for providers, payers, and patients seeking care.   

It may come as little surprise, then, that reports are surfacing that UHG has paid approximately $22 million in bitcoin to the attackers who are holding them to ransom. While neither UHG nor the hackers have confirmed that the transaction took place, industry observers believe that bitcoin transactions associated with BlackCat and ALPHV provide evidence of the attempt to pay off the criminals and end their stranglehold on the industry. 

If the rumors are true, would it be the right move? Lives are often at stake when healthcare infrastructure goes down, and leaders may feel it’s in the best interests of their organizations and their patients to do whatever it takes to return to normal. 

Or does paying off criminals just embolden them? After all, if there is no honor among thieves, there’s nothing to keep the attackers from demanding more and more money from their target without releasing the data as promised or striking again elsewhere with their newly gained resources. 

It’s a quandary that more and more healthcare leaders are going to have to address as the number of ransomware attacks continues to rise.  

The rising toll of ransomware across the healthcare ecosystem

Ransomware is becoming one of the most common types of cybercrime. Attackers use malware to encrypt a target’s data, restricting access to encryption the key until the target pays a specified amount. The data could include patient records, preventing clinicians from making diagnoses or providing treatments, or administrative and financial data that restricts everyday operations from occurring. 

HHS reports that the last five years has brought a 264% increase in ransomware incidents reported to the Office of Civil Rights (OCR).

While it’s difficult to quantify the full impact of a ransomware attack, a 2023 working paper from the University of Minnesota found that hospital volume tends to decrease between 17% and 25% during the initial attack week, which translates to delays in care and a potentially massive hit to the revenue cycle. The paper also suggests that at least a quarter of hospital markets will experience spillover effects from an attack, as is being witnessed with the Change Healthcare hack. 

Cybersecurity company Comparitech estimates that since 2016, the industry has suffered more than $77 billion in losses due to downtime alone, with the average attack in 2023 resulting in an average of 18.71 days offline.  

To pay or not to pay?

There are valid arguments on both sides of the question. Ransomware can be paralyzing for healthcare organizations, many of which are already strapped for cash and operating on razor-thin margins. The moral and business imperatives to provide seamless care can easily convince leaders to do whatever it takes to restore operations as quickly as possible, even if it means paying off criminals. 

It’s a choice that a large number of organizations do make when the chips are down.  According to a 2021 report by Sophos, 34% of organizations whose data was encrypted chose to pay the fee. The price averaged out to around $131,000 at the time. 

However, they reported that only an average of 69% of the encrypted data was restored after the ransom was paid, which may not be the value for money that they could have hoped for. 

The FBI has gone on record saying they while they do not actively advise organizations one way or the other, paying ransom should not be the first choice for organizations. They have even hinted in the past that paying off hackers – or having a third party help transfer ransom payments – could be a prosecutable offense, although officials have since provided context for those remarks.  

Instead, they recommend that organizations maintain full backups of their files and use them to restore functionality before considering giving into financial demands. 

The strategy is likely to be successful if organizations fully prepare for the possibility of an attack before it happens. In the Sophos report from 2021, 44% of healthcare organizations that had their data encrypted were able to successfully use backups to sidestep the question of payment all together. 

A further 28% of organizations experiencing an attack were able to avoid encryption in the first place by having defenses strong enough to deter the attackers, rendering the question moot from the beginning. 

While each ransomware attack is unique in its severity and downstream impacts, and the decision of whether or not to pay the ransom is very situation-specific, organizations should opt to be proactive instead of reactive when the question arises. 

Developing robust cybersecurity defenses and maintaining complete, accessible, and immutable backups of key data assets are the best way to solve the problem before it becomes a matter of urgency. With better preparation across the industry, healthcare organizations can become more resilient in the face of cybercrimes. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at jennifer@inklesscreative.com.