[ad_1]
FRANKLIN – In October 2021, Johnson Memorial Health went dark.
A cyberattack had infiltrated the health system’s networks and claimed to possess large amounts of patients’ personal information. The ransomware group was demanding a $3 million Bitcoin payment.
Rather than oblige, hospital administrators decided to go offline to determine the extent of the breach and prevent losing any more data, explained Dave Dunkle, president and CEO of the network.
Soon, hosptial staff were operating in the digital dark age, using paper forms to document all their procedures. Couriers scurried between departments hand-delivering blood-draw orders. With monitoring equipment down, more nurses were called in to the critical-care unit to physically observe each patient.
“It was rough,” Dunkle said. “It was very rough.”
The ransomware group never got paid, but the attack still cost the healthcare system millions of dollars to deal with the fallout. More than two years later, the hospital still hasn’t recovered financially.
“You don’t get that lost business back,” he said. “With margins being so slim for community hospitals like ours, we’re still suffering from the lost income during the attack.”
‘PAIN POINT’
Johnson Memorial Health is just one of thousands of Indiana businesses and organizations struggling to rebound after being targeted by a malware or ransomware scheme.
In recent years, the amount of money lost due to internet crimes has skyrocketed across the state. In 2019, Hoosier victims reported losing over $24 million. Last year, that number more than tripled to $73.5 million, according to data from the most recent FBI Internet Crime Report.
That’s despite the fact the number of reported cybercrime victims in Indiana actually declined by around 1,000 since 2020, when nearly 12,800 fell prey to an attack.
During the first six months of this year, insurance claims for ransomware attacks increased nationally by 27% compared to the second half of 2022, according to Coalition, a company that sells cyber insurance.
The average ransom demand was $1.62 million during the same timeframe, marking a 47% increase from the previous six months and a 74% increase over the past year, according to the report.
The data indicates cybercriminals are developing more sophisticated, strategic attacks towards companies that have highly sensitive information and rely heavily on online networks to function, explained Scott Shackelford, director of Indiana University’s Center for Applied Cybersecurity Research.
“They can really go after the stuff that’s going to have the highest pain point in terms of making sure that a place like a clinic pays up as quickly as possible,” he said.
And more companies are paying up than ever before. In 2018, less than half of companies across the globe paid a ransom to recover their data, according to a cybersecurity report by Statista. This year, nearly 73% decided to shell out a ransom payment.
It’s a dangerous trend. As more businesses pay up, cybercriminals are emboldened to attack even more companies, knowing the majority will simply give them money to quickly resolve the issue, according to Marcus Rogers, director of Purdue University’s cyberforensics lab.
“It’s kind of a catch-22 and a bit of a vicious circle,” he said.
TO PAY OR NOT TO PAY?
The federal government has taken a controversial approach to disrupting that cycle.
In 2020, the Treasure Department’s Office of Foreign Assets Control issued an advisory stating companies or citizens that pay certain ransoms could face fines or even jail time for violating U.S. sanctions.
Dunkle with Johnson Memorial Health said one reason they didn’t pay their ransom was because FBI agents helping them through the attack emphasized the company could face stiff penalties if they obliged.
“They were sure to let us know that, which was wonderful,” he said sarcastically.
The Treasury emphasized the potential sanctions towards U.S. companies were part of a larger effort to stop cyberattacks by removing the financial incentives.
“As cyber criminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks,” said Treasury Secretary Janet Yellen in a release.
Shackelford with IU said he understands that reasoning, but believes it’s wrong to expect companies who have already been victimized and lost money to a cyberattack to then face a fine.
Instead, the federal government should consider providing assistance to core service providers like hospitals and police departments to beef up cybersecurity, Shackelford said.
“We’re never going to get everybody to stop paying ransom,” he said. “I think we just need to do a better job of getting resources to those critical infrastructure operators.”
Dunkle agreed. He said a more productive way to address the problem would be to create a checklist of cybersecurity measures companies need to take, and then provide funding for those who need it to implement those measures.
That’s especially true considering the cost of cybersecurity services has increased dramatically. Dunkle estimated his network is paying over 30% more for the same services compared to a couple of years ago.
“It’s outlandish, and I don’t feel like that’s sustainable for small hospitals,” he said. “It’s all very expensive, and it keeps getting more expensive.”
‘PUSH THE NEEDLE’
Cyberattacks in Indiana often illicit a ransom payment from a company by taking Hoosiers’ personal information hostage. Federal law doesn’t provide any protections for that data. That leaves states to grapple with how best to deal with privacy issues.
That’s something Indiana did earlier this year when legislators passed Senate Bill 5 and became just the seventh state to adopt a comprehensive data privacy policy, according to Bloomberg Law. Three other states have approved similar bills since then.
When the policy takes effect in 2026, the legislation will substantially expand what is considered private data. It also requires companies that control data to “adopt and implement reasonable administrative, technical, and physical data security practices,” but doesn’t provide details on what that entails.
Marcus Rogers with Purdue’s cyberforensics lab said the legislation is a step in the right direction to encourage companies to better protect data. But he criticized lawmakers for allowing special interest groups to “water down” the bill by including broad definitions that provide loopholes to avoid enforcement.
“There are lots of ways of wiggling out of it,” he said. “Hopefully it has pushed the needle for any company that was kind of waffling about whether they should be doing this or not.”
Shackelford with IU, however, called the legislation a “big step forward” – even if it doesn’t take a more aggressive approach compared to states like California, where consumers can sue companies that violate its data privacy laws.
In Indiana, the Attorney General is the only one that can bring litigation for violating the state’s data policy. Historically, the office has been aggressive in pursuing legal action against companies that fail to meet cyberattack reporting requirements, according to the international law firm White & Case.
The firm stated that “businesses should not be surprised by a similarly aggressive enforcement approach by the Indiana Attorney General” under the new data policy.
That enforcement was on display last month when the office announced Indiana will receive $690,000 as part a five-state settlement with the financial services company Morgan Stanley to resolve allegations of negligent internal data security practices.
More aggressive tactics to force Hoosier companies to take action against the bombardment of cyberattacks will become more necessary as ransomware becomes even more sophisticated, argued Rogers.
“This is an arms race, and we’re always behind the curve,” he said.
[ad_2]