Last week Hollywood Presbyterian Medical Center said it paid hackers $17,000 in virtual currency bitcoin to get out from under a malware attack that locked access to certain computer systems and prevented the hospital from sharing communications electronically.
But is this practice advised, and is it covered by insurance?
To start, a survey early this year from nonprofit Cloud Security Alliance found that 24.6 percent of companies would be willing to pay a ransom to hackers to prevent a cyberattack and 14 percent would pay more than $1 million.
The Los Angeles-based hospital is not the first to give in and pay hackers ransom. A quick search reveals at least several others have done the same, including some police departments in the US. However, coughing up a ransom to hackers is an action that prompts mixed reviews.
Earlier this month Advisen invited nearly a dozen professionals to take part in a cyber war game, which has become a worthwhile exercise before each of our Cyber Risk Insights Conferences throughout the year. The last, in London, offered our fictional company, Hermes, a way out: pay a rather large ransom demand from the hackers of 10 million pounds.
Interestingly, the executive leadership of our “internet service provider” considered paying the hackers—especially since the company provided services to hospitals as well as police and fire departments, and interruptions were being threatened.
This is what Hollywood Presbyterian chose to do. In a statement the hospital’s CEO, Allen Stefanek, said: “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Hermes never paid the ransom during or cyber war game but significantly notable, especially now in hindsight, was the reason why. The authority involved in the exercise, Matthew Roach of the National Crime Agency’s National Cyber Crime Unit, advised against it.
This story in an excerpt of the original. The content originally appeared in Cyber Front Page News. To read the whole story, you must be a subscriber. Subscribe now.
Chad Hemenway is Managing Editor of Advisen News. He has more than 15 years of journalist experience at a variety of online, daily, and weekly publications. He has covered P&C insurance news since 2007, and he has experience writing about all P&C lines as well as regulation and litigation. Chad won a Jesse H. Neal Award for Best Single Article in 2014 for his coverage of the insurance implications of traumatic brain injuries and Best News Coverage in 2013 for coverage of Superstorm Sandy. Contact Chad at 212.897.4824 or [email protected].
