The screen shows an ominous message. Your system is locked, and you have hours or a few days to pay the ransom to have it unlocked. Conveniently, there’s a big countdown timer on the screen to help you keep track of how much time you have left. You ask around, and there is indeed no way to get your data back without the decryption key.

How did you get here? Likely an employee clicked a link or opened a file they shouldn’t have.

The size of the problem

Ransomware is easy money for criminals. The software is easy and cheap to spread. The victim has a powerful incentive to pay up and, if they don’t, the criminals’ investment has been minimal and the sea is brimming with fish—and some of the most desirable fish are hospitals.

Why hospitals?

  1. Aging hardware and security systems
  2. Misconfigured systems
  3. The value of the data

And if you’re not willing to pay to get your data back, so be it. The next step might be modifying patient records or releasing them to the public. Will you pay now?

The first line of defense

People will always be the first line of defense against ransomware. Training can be hard in a hospital environment with many people having different backgrounds and different responsibilities working for one organization.

But if employees don’t know to watch out for email attachments and links that might be part of a phishing attack, you’re vulnerable. You must train staff that just because an attachment has a plausible title, such as “new patient list,” doesn’t mean it’s legitimate.

And then what?

  1. Invest in hardware that’s up to the task of warding off threats.
  2. Backup physically and in the cloud.
  3. Make a plan and practice.
  4. Consider security just another part of your ultimate duty: patient-care. Your patients deserve to have their records kept safe.

Should you pay?

Yes, if the cost of paying the ransom is cheaper than the cost of buying the hardware you need to keep your data safe. Yes, if the cost of paying off the bad guys is cheaper than the cost of training the good guys.

But ask yourself this: will it really be cheaper when you’re on your hundredth attack, because your repeated payments have encouraged the criminals to keep it up? Paying one ransom might seem like good value, but paying every week will quickly add up.

Considering ransomware from an economic perspective isn’t a bad way to look at it. Just be certain you’re looking at the whole picture, not one incident in isolation.