Operations
2/19/2016
11:00 AM
Andrew Hay
Andrew Hay
Commentary
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Adding Up The Total Costs of Ransomware

It's a lot more than just the ransom. We did the math.

You may have already heard about the $17,000 ransom that Los Angeles-based Hollywood Presbyterian Medical Center paid to regain control of their systems after the news broke Feb. 12. Time the news broke to the time the ransom was paid: four days. It may have started days before the news leaked but, for the sake of this blog post, we’ll assume four days total.

According to the American Hospital Directory, Hollywood Presbyterian had $974,387,384 in revenue and $20,979,948 in net income for 2015. If we divide both figures by 365 days we see that the hospital takes in roughly $2.7 million in revenue and generates $57,479 of net income per day. It was noted in several reports that long delays were experienced by patients and that medical information was being shared via phone and fax between doctors.

Let’s assume a 5% attrition per day for patients that decided to go to another hospital instead of dealing with the degraded experience. That’s a very conservative estimate, resulting in only 1.3 patients leaving per day, based on the 12,291 reported discharges in 2015. Hollywood Presbyterian is not the only hospital nearby. In fact, the Kaiser Permanente Los Angeles Medical Center is only 0.3 miles away (a 6-minute walk according to Google Maps) so our attrition rate is likely a conservative figure.

Our estimates show that Hollywood Presbyterian, with an attrition rate of 5% for the affected days, could have lost as much as $533,911 in revenue. This would have resulted in roughly $11,496 in net income losses.

Even using extremely casual attrition estimates of 1% still shows a meaningful impact on both revenue and income coming in at $106,782 and $2,299, respectively. 

As you can see, the reported $17,000 ransom was not the only expense incurred by Hollywood Presbyterian. These are, however, rough estimates. The estimates do not quantify the damage to the hospital’s brand and reputation, nor will it account for the reactionary investment in new security technologies that the hospital will undoubtedly be purchasing and implementing. The estimates also do not factor in the employee costs associated with diagnosing and addressing the issues during the incident.

And then there is the way the medical personnel exchanged information -- phone and fax. It’s with a high degree of confidence that some personally identifiable information (PII) and non-public information (NPI) was shared using these "traditional-non-traditional" methods of information exchange. As the organization likely digitizes nearly all of its data transmissions, what is the likelihood that some PII or NPI was exposed over the four-day period? I would argue that the likelihood is higher than usual and higher than what HIPAA and HITECH would deem compliant. I would not be surprised if the fallout of this event echoes for months to come. 

Andrew Hay is the CISO at DataGravity where he advocates for the company's total information security needs and is responsible for the development and delivery of the company's comprehensive information security strategy. Prior to that, Andrew was the Director of Research at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.