It was an expensive lesson that all high-profile employers should absorb, or risk enduring the pain that ECMC has suffered: If you don’t spend money to protect your computer systems, you are likely someday to pay an extraordinarily high price.
Leaders of Erie County Medical Center made a wise decision when they refused to pay nearly $30,000 in ransom after an overwhelming cyberattack in April, but the cost of its good sense was severe: They estimate that when all is calculated, the attack will have drained the hospital of almost $10 million.
Other hospitals, governments, police departments, airports and other sensitive operations need to take note, if they haven’t already: Hackers are out there. They are persistent. They are thieves who believe, apparently with some reason, that they will never be caught. The question isn’t if large employers will be the target of a cyberattack, only when. They need to be prepared.
The $10 million price tag includes the cost of computer hardware, software and assistance needed in responding to the attack. Also included are increased internal costs such as overtime pay and decreased revenues from the loss of business while the system was down.
Those are the costs so far. Yet to come are expenses related to upgraded technology and employee education to harden the system against attacks. That cost is estimated between $250,000 and $400,000 a month.
“What happened to us was a wake-up call for the entire community,” said Thomas Quatroche Jr., the hospital’s chief executive officer. “Any major institution that wants to improve cybersecurity will have to make investments just like this.”
The attack was beyond huge. It shut down more than 6,000 computers, forcing staff to use paper charts and face-to-face messaging. It put lives at risk, but hospital officials nevertheless refused to pay a ransom of 24 bitcoins, equal to nearly $30,000, to unlock the medical center’s system.
It was the right decision. Even if the extortionists were as good as their word and unlocked the computers – no sure thing – security experts and law enforcement authorities argued against making the payment. The computers could have remained infected and subject to new attacks, they pointed out. And, as officials said at the time of the incursion, paying the ransom wasn’t the right thing to do.
The hospital was fortunate in one regard: Leaders there had taken seriously the advice of its general counsel, internal auditors and insurance broker to increase its insurance coverage against such attacks. As a result, Quatroche says he is confident that the hospital can recover the costs related to the attack. But count higher insurance rates as another cost of doing business in the 21st century.
As useful – and, at this point, essential – as the internet is in daily life, it is sharply double-edged. Terrorists use it to make bombs. Liars use it to promote fake news meant to advantage a favored issue or individual. Trolls use it to harass others they lack the energy or courage to confront personally. And extortionists use it to enrich themselves by compromising the information of others. That’s how it is in 2017, and the immediate prospect is only for bad to become worse.
The good news is that there are steps that everyone can take to protect computer security. In the case of high-profile targets – such as hospitals – that can be an expensive proposition. But expensive is a relative word: It’s still cheaper than suffering an attack and all the costs that come with it.