Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

2/19/2016
11:00 AM
Andrew Hay
Andrew Hay
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

Adding Up The Total Costs of Ransomware

It's a lot more than just the ransom. We did the math.

You may have already heard about the $17,000 ransom that Los Angeles-based Hollywood Presbyterian Medical Center paid to regain control of their systems after the news broke Feb. 12. Time the news broke to the time the ransom was paid: four days. It may have started days before the news leaked but, for the sake of this blog post, we’ll assume four days total.

According to the American Hospital Directory, Hollywood Presbyterian had $974,387,384 in revenue and $20,979,948 in net income for 2015. If we divide both figures by 365 days we see that the hospital takes in roughly $2.7 million in revenue and generates $57,479 of net income per day. It was noted in several reports that long delays were experienced by patients and that medical information was being shared via phone and fax between doctors.

Let’s assume a 5% attrition per day for patients that decided to go to another hospital instead of dealing with the degraded experience. That’s a very conservative estimate, resulting in only 1.3 patients leaving per day, based on the 12,291 reported discharges in 2015. Hollywood Presbyterian is not the only hospital nearby. In fact, the Kaiser Permanente Los Angeles Medical Center is only 0.3 miles away (a 6-minute walk according to Google Maps) so our attrition rate is likely a conservative figure.

Our estimates show that Hollywood Presbyterian, with an attrition rate of 5% for the affected days, could have lost as much as $533,911 in revenue. This would have resulted in roughly $11,496 in net income losses.

Even using extremely casual attrition estimates of 1% still shows a meaningful impact on both revenue and income coming in at $106,782 and $2,299, respectively. 

As you can see, the reported $17,000 ransom was not the only expense incurred by Hollywood Presbyterian. These are, however, rough estimates. The estimates do not quantify the damage to the hospital’s brand and reputation, nor will it account for the reactionary investment in new security technologies that the hospital will undoubtedly be purchasing and implementing. The estimates also do not factor in the employee costs associated with diagnosing and addressing the issues during the incident.

And then there is the way the medical personnel exchanged information -- phone and fax. It’s with a high degree of confidence that some personally identifiable information (PII) and non-public information (NPI) was shared using these "traditional-non-traditional" methods of information exchange. As the organization likely digitizes nearly all of its data transmissions, what is the likelihood that some PII or NPI was exposed over the four-day period? I would argue that the likelihood is higher than usual and higher than what HIPAA and HITECH would deem compliant. I would not be surprised if the fallout of this event echoes for months to come. 

Andrew Hay is the CISO at DataGravity where he advocates for the company's total information security needs and is responsible for the development and delivery of the company's comprehensive information security strategy. Prior to that, Andrew was the Director of Research at ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Commentary
Ransomware Is Not the Problem
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  6/9/2021
Edge-DRsplash-11-edge-ask-the-experts
How Can I Test the Security of My Home-Office Employees' Routers?
John Bock, Senior Research Scientist,  6/7/2021
News
New Ransomware Group Claiming Connection to REvil Gang Surfaces
Jai Vijayan, Contributing Writer,  6/10/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-20733
PUBLISHED: 2021-06-22
Improper authorization in handler for custom URL scheme vulnerability in ????????? (asken diet) for Android versions from v.3.0.0 to v.4.2.x allows a remote attacker to lead a user to access an arbitrary website via the vulnerable App.
CVE-2021-20734
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in Welcart e-Commerce versions prior to 2.2.4 allows remote attackers to inject arbitrary script or HTML via unspecified vectors.
CVE-2021-20735
PUBLISHED: 2021-06-22
Cross-site scripting vulnerability in ETUNA EC-CUBE plugins (Delivery slip number plugin (3.0 series) 1.0.10 and earlier, Delivery slip number csv bulk registration plugin (3.0 series) 1.0.8 and earlier, and Delivery slip number mail plugin (3.0 series) 1.0.8 and earlier) allows remote attackers to ...
CVE-2021-20736
PUBLISHED: 2021-06-22
NoSQL injection vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to obtain and/or alter the information stored in the database via unspecified vectors.
CVE-2021-20737
PUBLISHED: 2021-06-22
Improper authentication vulnerability in GROWI versions prior to v4.2.20 allows a remote attacker to view the unauthorized pages without access privileges via unspecified vectors.