Health Held Hostage: Hospitals Under Cyber-Attack

Imagine you need emergency surgery, but the hospital’s computers are down – victim of a malicious ransomware attack. Processing blood-typing must be done by hand, delaying the results; X-rays can’t be transmitted to the radiologist on call for review. The hospital is refusing to pay the cyber-terrorist's ransom demand. All the while, your medical records (and you) are in limbo.
Image by kalhh from Pixabay

In May, a cyberattack on Colonial Pipeline threatened to shut down the company’s fuel distribution network – igniting fears of a global gasoline shortage. While cyberattacks have increased dramatically in the last two years [1], this attack highlighted the impact of ransomware [2] that portends to disrupt vital services. Shortly after being attacked, the company paid a 4.4 million dollar ransom – disregarding legal concerns and ethical objections. 

The current views and legal policy of the United States government strongly discourages succumbing to cyber hacking and ransomware. Some advocate banning ransom payments entirely – thinking (hoping?) that attacks might stop if they don’t pay up.  

The Colonial Pipeline decision was not made lightly. In weighing the considerations, the company’s CEO declared the decision was made in the country's best interests.  That may be so, but it flies smack in the face of U.S. guidance documents warning against capitulating to such demands, fearful that they may encourage or embolden the attackers, or that the sums paid may aid political activities, although some groups deny political aims. At least three states have laws discouraging paying cyber-extortion demands –although it’s not strictly illegal. The FBI discourages payment, partly because it is not a guarantee of future protection. 

For now, though, it may still be legal to pay under certain circumstances. [3] 

But while it may be lawful, is it the morally correct choice?

Traditional ethical paradigms mostly come down to the consensus against capitulating to extortion. Virtue ethics feels “(it’s not the “right” thing to do;” while under Kantian thinking, it violates the golden rule by rewarding evildoers.

Tell that to a patient whose hospital has been hacked and can’t have dialysis because records are unavailable, or those who can’t be treated because medication records have been blocked and the physician doesn’t know what drugs the patient is currently taking, or the neonate whose fetal monitor is savaged. These scenarios are not imaginary. In 2020, more than 29 million health records were compromised, 67% due to hacking, including the largest a ransomware attack on cloud service provider, Blackbaud.

"The opportunity for error is massive. I mean things like people getting the wrong blood transfusions, samples being sent under the wrong patient's name," one of the doctors at a Dublin hospital told ABC News.” 

The horrors and dangers of a hospital system cyberattack became frightfully obvious when the Irish health system was hacked on May 14 - adding to the problems the country’s hospitals were facing from COVID. 

Vexing challenges from the attack arose from the unavailability or limited access to patients' records, including medical histories. To bypass obstacles involved in transferring x-rays from one physician to another, doctors were obliged to photograph them on Smart Phones and sent them by WhatsApp. Even then, lack of access to prior films made comparisons impossible. Radiation therapy for cancer patients was largely suspended because computers are needed to control dosing.

The Irish government refused to pay. A week later, the payment refusal had convinced the cyber-attackers to furnish a decryption key – while they continued their threat of releasing confidential patient information. Ten days later, even with the decryption key, the hospital was still not functioning properly, leaving patients ill-attended for almost a month.

Things are bound to get worse 

A new, particularly odious form of ransomware currently under development invites the victim to participate in the “crime,” a novel twist sure to give game-theorists a charge:

“Infected victims of the ransomware known as Popcorn Time, have the option to either pay up, or they can opt to infect two others using a referral link. If the two new ransomware targets pay the ransom, the original target receives a free key to unlock files on their PC.”

Lawrence Abrams of 

There is evidence the “don’t play nice” policy works. 

The Avaddon ransomware group recently shut down its efforts attributed to heightened federal policy, providing free decryption keys to 2,934 of their victims. The Colonial Pipeline incident prompted President Biden to institute a new Executive Order to improve government response by: 

  • "Improving information-sharing between the U.S. government and the private sector on cyber issues." 
  • Improving detection of hacks into federal systems 
  • Creating a "standardized playbook" for how should the government respond to attack

Nice. But I fail to see how Biden’s move will help a hospital held hostage. This brings us back to the ethical debate on capitulating to the cyber-terrorist. 

The third prong of the paradigmatic ethical approach is utilitarianism – “the most good for the most number.” John Stuart Mills and Jeremy Bentham, the originators of the theory’s best-known school of thought, never articulated a time constraint in that determination. Perhaps amortized over the years cyber-attacks have been going on and are anticipated to continue, disincentivizing the practice might confer the greatest benefit. However, in the short term, capitulating to the cyber-terrorists may provide the more significant service, at least economically. Surely it would to hospital patients – translating into immediate lives saved. 

Competing ethical rubrics don’t provide clear or sure guidance. Instead, perhaps the better approach would be pragmatism. Much has been written and published about cyber-protection, including hospitals, and the steps to prevent an attack or minimize damages. But, unfortunately, they do not seem to be of much use so far.

Practical steps: we can take

  1. Keep a copy of your medication record on you at all times, including the name of drug and dosage (and any medicines for which you’ve had an allergic reaction in the past); give another copy to your spouse/partner/companion/parent. 
  2. Maintain personal copies of your X-rays; they are all digital, so you could even keep them on your smartphone.
  3. If hospitalized, keep a personal record of your care and make sure you keep it updated.
  4. If you have a complicated medical history or a potentially life-threatening one, take a mini-medical file with you when you travel.


[1] According to the Federal Bureau of Investigation’s 2018 and 2019 Internet Crime Reports, there was a 37 percent annual increase in reported ransomware cases and a 147 percent annual increase in associated losses from 2018 to 2019

[2] A type of malicious software that locks access to a computer until a ransom is paid

[3] The Treasury Department has issued advisory guidance proposing sanctions under certain conditions.  “The Office of Financial Asset Control (OFAC) has imposed, and will continue to impose, sanctions on these actors and others who materially assist, sponsor, or provide financial, material, or technological support for cyber-attack activities when orchestrated by [foreign]… agents.”