A few days ago, the sadly-predictable news broke that a U.S. hospital had been hit with a ransomware attack. Initial reports were that hackers demanded that Hollywood (CA) Presbyterian Medical Center pay $3.4M in bitcoins to regain access to its data. The hospital refused, and began working with paper to meet its patients’ needs. However, it was later reported that the $3.4 million number was wrong and the hospital was only asked to pay $17,000. The hospital chose to pay the ransom and got data access back. But the mere fact that Hollywood Presbyterian got off relatively easily shouldn’t blind us to the growing ransomware threat, nor the steps we need to take to address this crisis.
Now, before I ramble on about what I think should be done, please bear in mind that I’m an HIT analyst and writer, not a network engineer. So the modest proposal is coming from a non-technical person, but I do believe that it has some merit as an idea. Hopefully readers will continue to improve, debate, and educate us on the merits and challenges of the idea in the comments.
Here’s my proposal. Whereas:
* Hospitals can’t afford to have their data randomly locked any more than airlines can afford to have their engines do so, AND
* Nobody wants to voluntarily create a ransomware market that grows steadily stronger as hospitals pay up, SO
I suggest we find a new way for hospitals to cover each others’ back. The idea would be to make it more or less impossible for hackers to capture all of another hospital’s data.
Here’s where I get hazy, so follow me — and criticize me, please — but what if every hospital had a few sister hospitals which held part of the day’s data backup? I can see attackers shimmying through every currently available connection at a single institution, but would all five be vulnerable if they only connected in the event a data lockout at hospital A?
Even if such a peer to peer architecture would work, I’m not sure it would be practical. After all, it’s one thing to download an illegal software copy via P2P and quite another to help restore a terabyte or more of data.
Also, it certainly hasn’t escaped me that there are serious competitive concerns involved in setting up such arrangements, though those could certainly be mitigated by the fact that no sister hospital would have a complete data set for Hospital A.
Even if this idea is utter garbage, however, I believe we’ve reached a point where if we’re going to fight ransomeware, some form of deep industry cooperation is necessary. Let’s not wait for patients to be harmed or die due to data lock-out.