KANSAS CITY, MO (KCTV) -- The demand came to Truman Medical Center via email, we’ve locked you out with ransomware. If you want the encryption key to get back in, you need to pony up.
“It’s a business model,” Jon Schram with The Purple Guys, said.
Schram is president of the IT firm, The Purple Guys. He said paying ransom should be a last resort.
“Because you’re really saying, hey I paid the ransom this time. I’ll pay it again. And I’ve got money to pay it. So you’re putting a bigger target on yourself. You’re also reinforcing the business model that is to send out spam emails, trying to get people to click on stuff,” Schram said.
But Truman Medical Center paid the ransom. They said in part, “a small amount of money for which the medical center was insured.”
That’s right, there’s an insurance policy for that. It’s called a “Network Extortion Expense,” part of a cyber liability policy that came onto the scene 10 years ago and really took off in the last two or three, says Emily Short, who is the Vice President of Technology Risk at an insurance brokerage firm, Brush Creek Partners.
“Policies that will pay a cyber extortion or ransomware demand are actually really common,” Short said. “Two years ago I probably would have told you the average demand was $1,000. They are finding that people pay their demands, so they are asking for more.”
She said the most common demands range from $500-$20,000, but she’s seen some for a million or more.
One technique used to limit damage is segmenting the computer network into different parts so that hackers can only get a piece of it. That seems to be what happened here.
The spokesperson for Truman Medical Center says the hacker did not get into patient data or financial data. The only example she would give is, well, we had to stop using automated controls on our thermostat and go to manual.
“It sounds like they’re following best practices. Which means the critical data and the critical systems have extra layers of protection,” Short said.
But even temperature controls are crucial in a hospital, which is why health care clients are prone to pay up.
“You are dealing with patients’ lives. You are dealing with things that are very time sensitive. You don’t have time to transfer everything to a new system, upload it again, and get that information,” Short said.
The city of Baltimore is one example of how expensive taking the high road can be. They were hacked three months ago. The New York Times said the bitcoin demand was the equivalent of $75,000.
The city’s budget office estimated the cost of recovering at $18 million. But some experts say it’s worth it in the long run to avoid repeat attacks which is why 300 mayors joined Baltimore last month, vowing not to pay ransom to dis-incentivize cyber blackmail.
KCTV5 News asked Truman Medical Center for the dollar amount of the ransom demand and their insurance deductible for filing the claim, and they would not reveal those details and specifics.