INDIANAPOLIS (WTHR) — Hospitals, businesses and local governments are increasingly falling victim to cybersecurity thieves – described as modern-day bank robbers. And it’s costing us millions.
“They’re happening constantly,” said Mat Gangwer, director of Managed Threat Response at Sophos, a cybersecurity firm. “Ransomware is a very common tactic being employed."
The FBI said there were more than 1,400 ransomware attacks across the country in 2018. Victims reported to the FBI that they payed a combined $3.6 million to regain access to their hijacked information during that same time. Insurance companies though, paid out claims reaching almost $400 million. That's why the FBI calls it a very underreported crime.
In the last few years, local victims include governments in Pike Township, Madison County, LaPorte County, the Brownsburg Public Library and Hancock Regional Health System.
As a result, governments, hospitals and businesses large and small are turning to cybersecurity insurance.
Premiums for cybersecurity policies grew to $2 billion last year, more than double what was written in 2015.
Nicholas Bozzelli of Fishers-based Bozzelli Insurance said they now offer cyber liability policies to all of their clients.
“You have to sign off if you elect not to obtain it,” he said.
How much does cybersecurity insurance cost?
Policies vary depending on risk, exposure, and the amount of protection you’re looking for.
Johnson County’s yearly premium is $13,000.
Boone County pays a little more than $11,000.
“I believe local governments are paying anywhere from $15,000 to $35,000 per year. But recent events will most likely cause rates to go even higher,” said Alan Shark, who studies cybersecurity at the Public Technology Institute.
Bozzelli said smaller amounts of protection can cost around $400 per year.
“Some people (still) don’t realize it’s available to them,” said Gangwer. “Others have purchased it, but haven’t purchased enough coverage, so when there is an event … when they try to get into that insurance policy, it’s not going to cover all the expenses involved.”
It's not if, it's when
Steve Long never imaged he’d find himself on the frontline of a war zone.
“We were actually attacked,” said Long, who is president and CEO of Hancock Regional Health.
It was Jan. 11, 2018 and Long and his administrative team were taking fire.
"I get this call from our administrator on call and he said 'hey there's something weird on a computer in the lab,'” Long said.
Criminals had hacked into the hospital's IT system and locked everyone out from some of their most critical information. The hackers were demanding a ransom be paid to get it back.
"And every single computer had been affected. It permeated the network almost instantly," Long said.
The incident lasted three days and Long said it cost the hospital system $300,000. That included the ransom and the price to get systems back up and running with help from a forensic IT company.
Why did the hospital system decide to pay the ransom?
“Nobody wants to do that,” said Long. “But it is a business continuity decision. So we did.”
The organization paid the ransom using bitcoin, Long said, and soon after, they received 1,400 decryption keys to unlock their system.
Long said that patient safety was never in danger.
“There are bad actors out there,” Long said. “They could be private individuals, they could be nation states … and it was devastating for about three days. But we have a really good team here and if you have good organizational dynamics, you’ll get through something like this.”
Long said the incident helped them realize that, while they had a company monitoring the hospital’s network and had purchased cyber liability insurance, they could have been even better prepared.
“Now we have the best of everything,” Long said. “And I can tell you the difference in cost between the average of everything and the best of everything is not that much.”
Long has shared his story more than 30 times to national audiences, letting them know about the lessons he learned and how others can make sure they’re prepared.
“Just know it’s not 'if,'" he said. “It’s ‘when.’”
Small business impact
Miriam Rolles paid more than $7,500 dollars to regain her vital business records. She's a small business owner from Greenfield and works in the real estate industry.
"I mean it’s terrifying,” Rolles said. “I'm thinking first off, 'oh my gosh, they’ve locked my files, do they know my financials? Do they know any of my other information?'"
Rolles said she’s since hired a cybersecurity firm to make sure her information is secure. She had not heard of cyber liability insurance before this all happened.
“But it makes sense,” she said. “I think we are going to see more and more of that. And we have to be ready for it.”
What else can I do to protect information?
Cybersecurity experts said insurance is only part of what businesses, governments, and individuals can consider.
In fact, in a statement to WTHR, the FBI recommends against paying a hacker’s extortion demands. The agency said the best approach is to focus on defense.
“The payment of extortion demands encourages continued criminal activity, leads to other victimizations, and can be used to facilitate additional serious crimes. Additionally, paying a ransom does not guarantee the victim will regain access to their data. The best approach is to focus on defense in depth and have several layers of security as there is no single method to prevent compromise or exploitation.”
“Ransomware typically spreads through phishing emails or through infected websites,” said Ganger. He added there are several things we can all do to protect ourselves.
- Be sure that your software and operating systems are always up to date. Outdated applications and operating systems are the target of most attacks.
- Never click on links or open attachments in unsolicited emails.
- Backup data on a regular basis in case you need to restore it later.
- Protect your devices with an anti-ransomware solutions.
Click here for the FBI’s ransomware pamphlet which contains information on how to prevent becoming a victim and how to report when you’ve been hacked.