I wish my health provider had paid the ransom. They screwed up and got hacked and wouldn’t or couldn’t pay the ransom, now the entire clinic has no health records for their patients. My doctor can’t see any health info older than a few years. I couldn’t believe what she was telling me.
The randsomware seems like a side issue. Evidently, your health provider doesn't care that much about your health records. Even ignoring security issues, they had no reliable backup. A fire would have produced this result.
Perhaps, perhaps not - there are many companies which had reasonable backups which would have protected them in case of a fire, but since they were accessible remotely with administrator privileges, the ransomware operators were able to destroy the backups, as is their standard practice.
To be fair, a sophisticated ransomware attack is more difficult to mitigate than most data loss events. A fire won't steal your AWS credentials. Not understanding the need for backups that are both off-site and offline isn't quite the same as not caring.
This is the reality of where the pay/don't pay falls down.
If your records have been encrypted and taken, you have already taken a reputational hit to sensitive information. If you can recover your operations then you shouldn't even think about paying the ransom. However, if your systems have been encrypted AND you can't recover them AND not having your systems is catastrophic to your business continuing then you may consider paying the ransom. Hopefully with a renewed understanding of how important it is to have appropriate information security controls in place.
The only way not paying ransoms will happen, is if it is made illegal or there are significant penalties as a result of doing so. Otherwise, for some businesses not paying the ransom when their systems are offline is too risky.
It hurts, but it’s the only way we can get the wealthy to take security seriously. Otherwise, to take an exaggerated example, only rich hospitals will be able to pay ransoms and poor people /hospitals will have no records (globally).
If they had to pay the ransom there would be a price set on security complacency, and that becomes the yardstick to use on further investments to harden their systems.
In contrast, losing all patient data is now associated with a malicious attack, so they can hide behind the victim status, the actual damage isn't directly on their bottom line but on the quality of the care to their patient, and they can keep underinvesting in security as long as they have plausible deniability of wrongdoing in the next attack.
Or instead of banding together to not pay, organizations/nations could pool money to help poorer hospitals pay. Maybe that, too, would make the rich think more about global security.
So some asshat will be in charge of IT at [poor hospital], some rich people will foot the bill, and somehow that will improve...what? What is "global security?"
Global security meaning: Perhaps, if the rich found that the cost of supporting poor hospitals was high, they'd determine that they would prefer to invest in cybersecurity in poor hospitals. (Not likely, considering how few wealthy organizations care about cybersecurity in their own organizations.)
I don't think that's quite fair. Each organization, especially ones that possess sensitive customer data, have a custodial duty to secure that data. Most of these attacks are very preventable by following well documented best practices and industry recommendations.
I think that "I wish my health provider paid the ransom" and "Health organizations should be responsible for protecting my data" are completely compatible views to hold.
If nobody paid the ransom, ransomware attacks would be reduced to nearly zero. Paying the ransom means that other people will get ransomware attacks. So, effectively speaking, wishing someone paid the ransom means that you're also wishing that other will get hit with attacks because that's a direct consequence of paying.
I follow your logic, I just think your conclusion is vastly oversimplified. Not paying the ransom also means that other people will get ransomware attacks. There is not direct causality here.
There is some game theory, sure (a prisoner's dilemma, really). If nobody ever paid ransoms, there would be very little incentive for ransomware (though still not zero, some people just want to create chaos).
But I don't think in a world-sized game with billions of actors that you can ascribe causality to the actions of a single actor. Wishing that you had driven to work instead of taking public transit (perhaps you missed an important meeting as a result) is not equivalent to wishing for public transit to be defunded (there is an equivalent feedback loop - decreasing ridership corresponds to reduced funding for public transit programs).
Then consider that ransomware is only possible because of cybersecurity failings, and investing money into reasonable (some might even call them "common sense") security measures would also reduce these incidence rates to nearly zero.
To be clear, I'm not advocating for paying ransomware ransoms, generally. I think this coalition is a good thing. But if a healthcare provider loses years of customer health data, that could lead to measurably worse health outcomes, and even excess mortality, for real people. An institution getting financially punished for not investing adequately in security seems like a better outcome than jeopardizing the health of real patients in the name of 'solidarity'. Meanwhile, a dozen other institutions pay the ransom and business continues as usual.
Yes, I completely understand the purely practical side of the issue. And perhaps paying the ransom does achieve a local maxima in terms of least harm, but it also prevents achieving an even greater maxima of least harm.
To be clear, I'm not saying that anyone is obligated to "take one for the team", or that anyone is bad for not being willing to. I'm just saying that if everyone was willing to, far less harm would be done in the longer term.
To me, a ransomware attack is little different than if someone just physically blew up the computers (or, with medical records, the hospital). It's a huge, costly disaster, but the damage is done. If we as a society thought of it like that and perhaps provided support (financial and otherwise) for people who get harmed like we do with any other large disaster, we could be in a better place for everyone except the criminals. Maybe we'd even put systems into place for the greater redundancy of medical records, to mitigate against actual health consequences of such attacks.
We'd also have greater interest in providing support for implementation, education & investigation in terms of hardening against such attacks.
