To pay or not to pay – cyber-security specialist Ajay Unni explains how to avoid paying ransomware and what’s at risk if you don’t. 

Transmitting health information and maintaining patient records digitally is now a mainstay of the medical industry. In turn, these systems have become a lucrative target for cybercriminals, increasing the importance of cybersecurity. 

Ajay Unni

Ransomware, in particular, is a huge concern for the medical industry. These malicious types of software are designed to block access to a computer system until a specific amount of money is paid. Since any downtime can put lives at stake, practices may choose to pay the ransom and move on as quickly as possible. 

By paying the ransom, medical businesses might also believe they’re protecting sensitive data from being exposed or lost forever, which makes sense when you consider the huge amount of valuable personally identifiable information (PII) used in the industry. 

Paying a ransom is often seen as a simple business decision: if the costs to recover from a ransomware attack exceed the ransom payment, some may choose to pay the ransom amount. Some medical practices will also choose to quietly pay a ransom rather than report it to officials and risk reputational damage. 

Paying may not work

Paying the ransom to regain access doesn’t completely eradicate the risks. Hackers could easily install other types of malware that could be activated later in order to launch new attacks. Victims might even suffer repeat attacks if other criminal groups learned that they made a ransom payment. 

Even if a business makes a ransom payment, there are no guarantees that attackers will return the data or that the decryption key gets data back where it was before the attack. In many cases, a single payment may evolve into multiple payments. For example, the first payment gives victims a decryption key, while a second payment may be requested to ensure that sensitive data isn’t released to the public. 

Making the payment could also get medical practices in serious legal trouble. Depending on the nation-state the hacker group operates out of, paying ransomware attackers could even be seen as funding terrorism.

However, there are several steps that businesses can take to avoid paying ransomware in the future. Some operating systems even offer specifically-designed ransomware protection, so make sure you enable this function to protect your devices.

Update your device and turn on automatic updates. Cybercriminals take advantage of known vulnerabilities to hack your devices. Regular system updates have comprehensive security upgrades to patch these vulnerabilities.

Security ID

Multi-factor authentication (MFA) is another important must-have. MFA means there are two checks in place to prove your identity before you can access your account. For example, you may need to supply an authentication code from an app and your password. This makes it more difficult for someone to access your files or account.

Set up and perform regular backups. A backup is a digital copy of your most important information that is saved to an external storage device or to the cloud. The best recovery method for a ransomware attack is a regular offline backup made to an external storage device and a backup in the cloud. Backing up and checking that backups restore your files offers peace of mind. You can set up automatic backups in your system or application settings.

Finally, make sure you implement access controls. Controlling who can access what on your devices is an important step to minimise the risk of unauthorised access. It will also limit the amount of data that ransomware attacks can encrypt, steal, and delete. To do this, give users access and control only to what they need by restricting administrator privileges. 

The ultimate goal is to embed cybersecurity awareness into the heart of your practice. That way, with the right protections in place, your practice should never be forced to make that impossible choice of whether to pay or not pay. 

ED: Ajay Unni is founder of cybersecurity mitigation company StickmanCyber and was part of the NSW Government’s cyber security taskforce in 2020.