The Three Options in a Ransomware Attack: Restore If Possible, Pay, or Lose Patient Information

News & Media

The Three Options in a Ransomware Attack: Restore If Possible, Pay, or Lose Patient Information

Wednesday, April 6, 2016

by Craig Musgrave, Senior Vice President, Information Technology, The Doctors Company

The news made national headlines: Hollywood Presbyterian Medical Center's computer systems were down for more than a week1 as the Southern California hospital became yet another victim of ransomware -- an attack where a business or individual's computer system is held hostage by cybercriminals until a ransom is paid. Hollywood Presbyterian Medical Center ended up paying $17,000 to restore its systems and administrative functions.

Once ransomware is in your medical practice or hospital system, there are only three basic options:

  1. If you have performed frequent backups, restore your system.
  2. If you have not performed frequent backups, pay the ransom.
  3. Put your system back to the default setting -- and lose everything.

If before the attack you've performed incremental backups, you can restore the areas affected, with minimal data loss (for example, an hour). If you have point-in-time backups, you can restore with increased data loss (for example, a week). If you have no reliable backups, you can reset the technology back to its "out-of-box," or default, state and lose all the data, if no paper records exist. The only other option would be to pay the ransom.

Besides loss of business, inconvenience to patients, and damage to reputation, a ransomware attack also poses liability risks. The possibility of adverse events and subsequent claims for professional negligence increases when computerized systems necessary for various functions such as CT scans, documentation, lab work, and pharmacy needs are offline. If hospital systems are down for any significant period of time, certain patients should be transported to other hospitals.

Adverse events can occur when healthcare workers do not have access to EHR systems. However, if this type of case was litigated, the patient would have to prove that something in the records may have had a bearing on the treatment being provided. In the case of emergency care, the claimant would have to successfully argue that the staff should not have undertaken the care until the medical records could be accessed.

Hospitals, medical practices, and businesses should take full precautions to prevent a hack that results in ransomware being installed. Prevention strategies include:

  • Provide security awareness for all employees. Over 80 percent of attacks are made possible by human error or human involvement. Train staff members to avoid downloading, clicking on links, or running unknown USB on computer systems.
  • Block the malware at the firewall, by using intelligent firewalls to stop the malware from downloading.
  • Install intrusion detection software to monitor illegal activities on computer networks.
  • Stop the malware from executing on desktop computers by installing application whitelisting software, anti-virus, or anti-malware.
  • Perform regular system backups.
    • Ensure that critical systems and business data are backed up -- even backed up hourly for critical systems.
    • Test that the backup restore process works.
  • Avoid relying solely on encryption. Encryption does not protect a business from a ransomware attack. If a cybercriminal has your login, encryption doesn't do anything to stop the hacker.
  • Perform penetration testing on a regular basis to determine any existing vulnerabilities that should be patched.



  1. Dangerous escalation in ransomware attacks. CBS News. February 20, 2016. Accessed March 21, 2016.

Contributed by The Doctors Company. For more cybersecurity articles and practice tips, visit