Dan Gorenstein: Ransomware attacks seem to be everywhere these days.

News clip: Drivers have been lining up at gas stations for days since a cyber attack shut down the main pipeline for the East Coast.
News clip: The world’s biggest meat producer, JBS, forced to curtail operations after a ransomware attack.

DG: And health care has emerged as a top target.

News clip: One of San Diego’s largest health care systems is scrambling to recover after being hit by a ransomware attack.
News clip: Sky Lakes Medical center in Oregon confirmed a ransomware attack.
News clip: The University of Vermont Health Network is the victim of a cyber attack.

DG: With attacks that can shut off care for weeks, hospitals are waking up to a startling reality. 

Anahi Santiago: The industry is realizing that cyber security really, truly does equal a threat to patient safety.

DG: Today, why health care has been slow to the cybersecurity game and how it is now racing to catch up.  

From the studio at the Leonard Davis Institute at the University of Pennsylvania, I’m Dan Gorenstein, and this is Tradeoffs.

Karen Sprenger: I don’t remember the specific date, but it was in 2020, and it was a Friday. I do remember that.

DG: Karen Sprenger lives in Missoula, Montana, and like lots of us, was working out of her home office last spring.

A “don’t panic” poster hung on one wall. A Yoda she built out of legos sat behind her.

It was just before 5, but instead of thinking about that after-work drink, Karen was bracing herself. 

KS: In our line of business we call them Forensic Fridays because an abnormally high number of cases come in on a Friday.

DG: Sure enough, the call came in.

KS: Incoming case, ransomware, call in five.

DG: Karen opened Zoom and met her client: a clinic in the Midwest that provides home health care, dialysis and chemotherapy.

The clinic told Karen employees were locked out of their files. A computer virus had spread everywhere — servers, work stations, patient records. 

KS: They had no way of knowing what chemotherapy treatment was supposed to be given. They didn’t have access to patient allergies.

DG: It had taken just over 24 hours for the clinic’s operations to grind to a halt.

KS: They were basically dead in the water. They couldn’t do anything.

DG: Karen is the COO for the cybersecurity firm LMG Security. 

She explained the clinic was facing a ransomware attack. 

KS: A ransomware attack encrypts all of your files. So it locks them up, and the only way to open them is to get a key, which is really just a long series of numbers and letters. And so in a ransomware attack, they’re holding those files, the lock for those files until you pay them.

DG: The FBI has a strict “don’t pay the ransom” policy.

They encourage companies to call law enforcement immediately. 

But eager to regain control of their systems as quickly as possible, many organizations instead turn to someone like Karen, who has been working in this shadowy, upside down world for the last 8 years. 

KS: I negotiate ransoms for clients who need that.

DG: Karen has negotiated more than 100 ransomware cases, 30 or so involving health care, and she’s learned to keep a level head. 

It’s a lesson she picked up from the 2000 film Proof of Life.

Proof of Life: Meg Ryan: Can you just explain how this works?

Russell Crowe: They make a demand. We start negotiating.

Hostage Taker: $3 million is the price. 

DG: That’s the movie where Meg Ryan hires Russell Crowe to negotiate with terrorists to get her husband back. 

KS: There’s a scene where Meg Ryan is upset because Russell Crowe, who’s the negotiator, is speaking with the kidnappers as if they’re businessmen or real people. 

Proof of Life: For you it’s emotional. For the people holding Peter, it’s a business. 

KS: And he’s explaining how this is a business deal and he needs to get them to trust him.

Proof of Life: The sooner you get comfortable and objective about that, the easier this will be.

KS: And I think that one is super relevant in that you have to learn not to let emotion get in the way when you’re doing negotiations.

DG: That Friday afternoon, Karen could see the emotion on the clinic’s staff’s faces over Zoom. She could hear the panic in their voices.

They’d already had to cancel 50 chemo and dialysis treatments.

KS: They very explicitly told us, here’s the services that we offer and we can’t do that right now. And we can’t continue like this because people can’t be without their health care. They couldn’t do the thing that they were there to do and that was really hard for them.

DG: Having the ability to care for your patients held at ransom is a health care provider’s worst nightmare.

This clinic was desperate, they were willing to pay, and Karen knew she needed to act fast. 

DG: Data from the federal government, IBM and other industry reports indicate ransomware attacks on health care are on the rise, perhaps as much as 60% in the last year. 

Ransom demands are also up, ranging from hundreds of thousands of dollars to more than a million.

And then in October 2020, a warning from the FBI — cybercriminals had set their sights on health care.

News Clip: Hackers are targeting hospitals and health care providers in what cybersecurity experts believe to be a massive attack.
News clip: So far five hospitals. Security experts warn hundreds more under threat.

DG: Cyber attacks have been a growing concern for about a decade, but experts say the problem exploded in the last 12-18 months. 

There are a few factors driving this.

One, the pandemic.

The move to telehealth and remote work has made health care more vulnerable, in part by pulling cybersecurity staff away from their normal jobs.

Two, cybercriminals know that attacking health care can be a good way to make big money fast.

Eric Johnson: They want to attack organizations that are not going to sit around for days and think about paying that ransomware attack.

DG: Eric Johnson is the dean of Vanderbilt’s Owen Graduate School of Management and studies health care cybersecurity.

EJ: If they go to health care, maybe they’re thinking, well, these guys are going to be desperate and they’re going to pay quick.

DG: And the final thing — health care has been behind the cybersecurity curve.

EJ: Your bank, your stockbroker, those folks have been investing in security for decades.

DG: Why has health care been so late to the cybersecurity party?

Eric says it’s partly because health care remained a pen and paper world a lot longer than other industries. 

EJ: In most cases, criminals were leaving the health care organizations alone. The quick money was to steal credit card numbers or get your Social Security number and commit some identity theft or something like that.

DG: Health care only became a serious target in the late 2000s when the federal government and hospitals started pumping billions into electronic health records.

Some organizations saw the potential risk these new digital records posed and started working to protect them.

Anahi Santiago was one of the industry’s first cybersecurity executives and now serves as the Chief Information Security Officer at ChristianaCare, a large health system in Delaware.

In the early years Anahi says many hospitals saw cybersecurity as a minor issue, if they saw it at all.

AS: If you think about, let’s say, 8 years ago, the causes of cyber security incidents in health care were data breaches where, yes, you lost the data, perhaps you got a fine from the federal government. But life safety wasn’t compromised.

DG: Anahi says another reason they were slow to adopt new defenses? Cybersecurity is expensive and complicated.

Even when organizations beefed up IT departments, their concerns were often dismissed.

AS: Early on, there were a lot of my peers that did not have a seat at the table. And what that means is that they really didn’t get to speak to the board. The board really wasn’t inquiring about really, really important work.

DG: But ransomware has changed everything.

Instead of just stealing patient data to sell on the Dark Web, today’s attacks can shut down an entire facility, like that midwestern clinic working with Karen.

The damage this can cause has become more difficult to ignore. 

Ransomware can cost organization’s millions in payouts, rebuilding computer systems and lost revenue.

Attacks have even put some small providers out of business.

But it’s the potential for human costs that Anahi says has finally driven hospitals to get more serious about cybersecurity.

AS: The concern is that becoming a victim of ransomware will render us unable to care for our patients, and that is the level of concern that is driving the change in the industry.

DG: It’s difficult to document just how much is changing and how fast.

There’s no national repository tracking updates or anything. 

Several cybersecurity firms did tell us they’ve seen significant jumps in their health care business over the last several months.

Anahi says her colleagues across the country report those same hospital leaders who used to ignore cybersecurity threats now want regular briefings.  

AS: They’re saying, “How can we help? What do you need? What resources and investments do we need to make as a health care organization to make sure that you are successful in your fight against the cybersecurity threats?”

DG: When we come back, we get keyboard-side seats to Karen’s ransomware negotiation, the push for more federal resources, and why it will take more than money to shore up health care’s cyber defenses. 

MIDROLL

DG: Welcome back.

Ransomware negotiator Karen Sprenger says the undersized IT team at that small midwestern clinic told her they’d tried to warn their leadership that they were vulnerable to a ransomware attack.

KS: We’re not protected against this. We need budget. We need to update our systems. And they weren’t gaining any traction. And then this happened.

DG: The cyber-strike in May 2020 forced the clinic to shut down operations with staff scrambling to reschedule chemotherapy treatments and dialysis appointments with different providers. 

Karen’s team got to work containing the attack. 

Karen turned her attention to the hostage takers.

 KS: We always encourage clients not to pay. But there are situations where they have no choice, and this was one of them. Their backups were non-recoverable. So they were in a tough spot.

DG: This is why they brought Karen in.

Like an athlete before a big event, she’s got her rituals. 

She makes a new email address, adopts a pseudonym, and then she steps out of everyday Karen and slips into her alter ego. 

KS: My alter ego is very direct and a little outspoken and probably a little more courageous, forceful and assertive.

DG: No-nonsense Karen got right to the point in her first email to the attacker. 

KS: I’m a third party. I’ve been brought in to bring this to a satisfactory conclusion for all parties involved. How much are you asking for the ransom?

DG: Within the hour, she had a response: $1.5 million.

KS: Which is unreal.

DG: Karen saw that demand and ignored it.

Now she had to decide whether to tell her counterpart, who went by Saheed, that he had attacked a health care facility.

KS: With some attackers, you don’t want to tell them that because they will use that to increase the ransom thinking, oh, well, we’ve got them in a difficult position. But there are some of these criminal groups that do have some empathy, some compassion. It’s tiny. It’s not enough to say, sorry, we didn’t mean to hit health care. We’re going to just give this to you for free. But it’s enough for them to say, OK, we understand the position that you’re in.

DG: Karen gambled and told Saheed about the clinic, that critically ill patients were going without care and that while the clinic was open to paying, it did not have $1.5 million.

Saheed was willing to play ball.

He dropped the price to just over a million.

Karen countered with $200,000.

As Friday turned to Saturday, the two volleyed dollar amounts back and forth, Karen updating the clinic the whole way.

As bizarre as this all may sound to us, this was a relatively by-the-book negotiation.

We were unable to independently confirm Karen’s story, though two veteran negotiators did tell us the details sound in line with how these cases usually go down.

As the weekend dragged on, Karen thought of people missing out on their treatments for cancer and kidney failure, and her stoic alter ego started feeling the squeeze.

KS: Just really felt the responsibility of, if we don’t move fast, there are people suffering out there.

DG: Finally, Sunday morning, a breakthrough.

KS: Must have been about 9 o’clock because I had just finished breakfast.

DG: Saheed had offered $500,000.

KS: So I countered with $435,000 thinking we’d end up at 450. But that’s when they came back and said, done.

DG: Karen worked with a broker to buy $435,000 worth of bitcoin on the clinic’s credit card and then sent the payment off to Saheed.

KS: As we were starting to decrypt files and they could see a light at the end of the tunnel, they just felt relieved. They could see that, yes, we can get back to treating patients and providing the services that we provide.

DG: It took all of Sunday and Monday to safely decrypt all the clinic’s files and bring their systems back online so they could start seeing patients again.

Karen says since the attack, the clinic has invested more in cybersecurity.

Finding enough money is a constant challenge to improving health care digital defenses.

A recent survey found that only 40% of health care cybersecurity leaders think their organization will be able to make the necessary investments.

But even when they can find the money, it’s just the first step.

Saad Chaudhry: It’s not an on and off flipping of a switch where you just say it to flip the switch, I will need X amount of millions of dollars. Switch is flipped. We are now secure.

DG: Saad Chaudhry is the Chief Information Officer for Luminis Health, a mid-sized health system in central Maryland.

He says buying the security tools you need is just the first battle.

Then you have to actually install those tools, an often technical, challenging, time-consuming process.

For example, take something he calls “endpoint security.”

SC: An endpoint is where your network ends. So that can be your phone. If it’s on the network, that can be an iPad or a computer or whatever. An organization our size, we have over 15,000 devices. So imagine now having to A, locate them because there’s no longer just desktop sitting in a corner. B, make sure they’re not being used. C, make sure they’re updated with the latest firmware software security software and the endpoint security thing that you just bought — 15,000 times.

DG: Another battlefield? 

The bedside where cybersecurity can collide with patient care.

SC: Imagine a nurse is trying to scan a patient’s wristband with a wireless scanner and then dispense medication from her cart. And let’s just say that scanner is out of battery or it’s not working because it’s wireless.

DG: Saad says the nurse could look for an old plug-in scanner, but Saad’s team has turned off the USB ports on the cart, a common cybersecurity step.

SC: So all of a sudden it could look like us disabling the USB port for cybersecurity reasons is an impediment to providing patient care, maybe very, very serious and lifesaving patient care in that moment, in that room, on that workstation.

DG: Several experts we talked with said this tension between security and speed helps explain why the industry has been slow to adopt stricter measures.

Going from device to device, doc to doc, finding the right balance, says Saad, is one of the most painstaking parts.

SC: It’s like warfare, but trench by trench, by trench by trench.

This is a battle that you have to fight so you can allow the clinicians to actually do their job, but also to protect the organization as a whole, because if the organization is under attack, then no patient will get care at that hospital.

DG: And the battles stretch on: Securing the ever-growing number of medical devices, hiring and retaining tough-to-find cybersecurity staff. 

It’s all so daunting. 

SC: If you’re running out of supplies, you see it physically. We cannot give this medication out. We’re out. The lion is in your face roaring. With cybersecurity, that is not the case. The lion is there, but you do not see it, you do not hear it. But make no mistake, it is just as deadly.

DG: The federal government is paying more attention to the silent cybersecurity lion.

President Biden issued an executive order in May boosting Washington’s cyber defenses. 

Congress has held several recent hearings.

And hospitals are lobbying lawmakers to include funding in an infrastructure package aimed at supporting smaller providers. 

Hospitals and other health care companies have made up ground, but the threat keeps growing, and the industry must accept cybersecurity is now just a way of life.

Ransomware negotiator Karen Sprenger says there may once have been a time when the bad guys left hospitals alone.

But those days are gone.

KS: What’s important to understand is except in the cases of things like Colonial Pipeline, they are not targeting specific institutions. They are casting a wide net. So that feeling of security that we get, is false. They are just looking for a vulnerability. And if they find it, they’re coming in.

DG: I’m Dan Gorenstein, and this is Tradeoffs.