NationStates

Hospitals getting hit with ransomware has been an extensive and ongoing problem. Cases keep making the news, and in some cases, the hospitals have actually been paying the ransoms, since lives are on the line. Examples include this one (which paid), this one later that same day, and these three the year before.

Looking through issues, while we've got a couple with hackers and our friend the DEAT virus (issue 57, issue 650) and one issue revolving around ransoming kidnap victims (656), I think this is a unique enough topic to address directly.

[TITLE] Lives On-Line

[VALIDITY] Has computers and internet

[DESCRIPTION] After a @@DEMONYM@@ hospital quietly paid out in a recent ransomware attack, numerous other hospitals across @@NAME@@ have been targeted by criminals hoping to cash in. The unknown perpetrators behind these attacks have demanded large quantities of @@CURRENCYPLURAL@@ to provide unlock keys for the encryption, and hospital administrators have come desperately seeking guidance from law enforcement.


[OPTION 1] "We don't have any choice but to pay, right?" asks the chief physician of one affected hospital, Dr. @@RANDOMNAME@@, while @@HIS@@ colleagues nod nervously in agreement. "Lives are on the line, and if we don't get access back in to these files, there will be fatal consequences. Life-saving surgery will be delayed, medications will get mixed up, and there's no telling what kind of vital records will be lost! We swore an oath!"

[EFFECT 1] weekly ransom attacks strike the nation's hospitals


[OPTION 2] "You can't possibly suggest giving in to terrorists!" cries out @@RANDOMNAME@@, an adjuster for one of the insurance agencies that would have to pay out. "It's a matter of principle not to reward bad behavior. We've already seen that if you pay, it will just happen again and again! It's more important to refuse every claim than to pay out on the off chance it will save somebody. Did I say claim? I meant demand. Refuse the terrorist demands!"

[EFFECT 2] a few innocent deaths are considered proof of principles


[OPTION 3] "We may be able to crack this code" murmurs Deputy Chief @@RANDOMNAME@@, head of your electronic crimes unit. "I'm going to need a few dozen engineers, unfettered access to the network, and all the computing power you've got! You should force hospitals to set up better cyber-defenses, and fine the heck out of any that allow security breaches in the future!

[EFFECT 3] hospitals fear government fines more than terrorist ransoms


[OPTION 4] "This would never have happened with pen and paper!" declares a bureaucrat who has worked for the government longer than you've been alive. "Leave all the computers and the internet and the saggy pants and the hippity-hop to those young folks who don't know better. When lives are on the line, you can't be online. Tell vital services to stick to good old fashioned handwriting - then they're safe from those nasty folks on the web."

[EFFECT 4] doctors fax when they need facts fast

Draft 3a:



2nd draft:


1st draft:

Nice issue VH. The only thing I'm thinking of at the moment is NHS hospitals vs private hospitals. NHS the government would have to pay the ransom / increased defensive measures. Maybe this needs a no NHS validity?

Baggieland wrote:Nice issue VH. The only thing I'm thinking of at the moment is NHS hospitals vs private hospitals. NHS the government would have to pay the ransom / increased defensive measures. Maybe this needs a no NHS validity?

Oh, hmm, is that the Universal Health Care policy you're talking about? I forgot about that one.

What I can do is write up 2b and 3b options that check the UHC validity, because as you say, it would be the government paying it out or hiring staff! They're just as susceptible, so I wouldn't want to exclude them from the whole issue, but it is certainly relevant who is handling it when it happens. Thanks for the catch!

Well in a private hospital, why would the decision to pay lie with the government?

I'd suggest changing the premise so that the government is being held hostage even while the ransomware targets the hospitals. Maybe to mix it up a bit, the demands could be non-financial, to account for why the government is being asked to decide. For example, maybe they're demanding the release of an Ultravioletist terrorist who is currently in detention.

Candlewhisper Archive wrote:Well in a private hospital, why would the decision to pay lie with the government?

I'd suggest changing the premise so that the government is being held hostage even while the ransomware targets the hospitals. Maybe to mix it up a bit, the demands could be non-financial, to account for why the government is being asked to decide. For example, maybe they're demanding the release of an Ultravioletist terrorist who is currently in detention.

You make a valid point. Once again, my own editing for length eliminated the portions explaining why it would be a government decision :-P

I'll see what I can do with it being an attack on hospitals with a direct demand against the government being made. Shouldn't be too hard of a transfer, just gotta workshop it :-D

I think I do have a preference from monetary demands, due partially to it being a frequent real-world occurrence, and partially because I don't want to make assumptions about the potential sympathies of the player governments. Some nations wouldn't have an ultravioletist in prison because they are ultravioletist themselves. Others, like my own, wouldn't have an ultravioletist in prison because we summarily execute anybody who evinces religious sentiment. They'd never have made it to the holding cell! More importantly though, I like maintaining the idea that the attacks are both by unknown parties, and that they aren't all necessarily the same party. Ransomware is cheap and easy to acquire, and usable by any number of folks for a quick buck.

Alright - new draft up to adjust the demands IAW what CWA suggested, and to make sure it works regardless of having universal healthcare.

Thoughts?

I think using the real world as a starting point is fine rather than directly transposing situations. The problem with it being a monetary demand is that you'd expect the default position to be that the hospitals are being blackmailed, and that the decision to pay or not would be the hospital's. After all, the criminals know that it's a lot easier for a hospital to back down than for a government to do so. The former can claim that they're putting patient interests first, and letting the police handle it AFTER the immediate threat is dealt with. The latter will run into accusations of moral cowardice and will probably not last long as a government.

Besides, if it's just "do you pay hostage takers?", well, we already have that issue...

Hmmm - a thought:

Would it work if the situation was that an initial hospital has paid ransom themselves, but that led predictably to additional attacks across the country. Healthcare providers are in turn asking government law enforcement for guidance on appropriate actions, and the options suggestions would be choices of "best practices" to promote from the top level? That is a reflection of what the FBI actually does for private industry in the US for Ransomware - outlining defenses and recommended actions when an attack hits: FBI guidance on Ransomware

That could work! Potentially unwieldy though, so be sure to keep wordiness in check.

Candlewhisper Archive wrote:That could work! Potentially unwieldy though, so be sure to keep wordiness in check.

Excellent! I'll get to it.

Alright - third draft is up with the story adjustments described in the posts above. The description and options now reflect that hospitals are being hit with ransomware, and are asking the government to provide official guidance on what they should do about it. Textual changes throughout, and actually managed to reduce the word count a bit.

Questions:
- Does this need a "capitalism" validity? I tried to avoid directly implying private businesses vs state-sponsored ones, but the entire thing is based around at least a certain amount of independence from government.
- Does it still feel like it needs separate options for 2 and 3 for nations with Universal Healthcare? I feel like maybe it doesn't, since that could be reflected in private hospitals for which the govm't foots the bill, but if it feels like this doesn't work for that, I can split those options and provide specific texts for that situation.

Obviously any other feedback is also welcome!

It's more important to refuse every claim than to pay out on the off chance it will save somebody. Did I say claim? I meant demand.

This line is really funny, by the way. A great bit of satire on modern insurance.

This issue is looking good. I look forward to editing it.

Candlewhisper Archive wrote:

It's more important to refuse every claim than to pay out on the off chance it will save somebody. Did I say claim? I meant demand.

This line is really funny, by the way. A great bit of satire on modern insurance.

This issue is looking good. I look forward to editing it.

Thanks a bunch! I'll admit I am kinda proud of that one - I'm glad the humor lands!

If only it wasn't a real situation which I've been dealing with for the last year /facepalm

Option 1- don't forget patient confidentiality

Australian rePublic wrote:Option 1- don't forget patient confidentiality

I did consider including privacy in there, but in the end I decided against it for the sake of brevity. The physician is citing things that could kill a person, and which s/he therefore feels are reasons to pay the ransom. While patient confidentiality is extremely important, it isn't life-threatening, and in this case has already been compromised (so can't be protected by paying).

Anybody have any thoughts on the Universal Healthcare thing? Does the present draft feel like it works regardless of UHC status, or do there need to be some splits?

Verdant Haven wrote:

Australian rePublic wrote:Option 1- don't forget patient confidentiality

I did consider including privacy in there, but in the end I decided against it for the sake of brevity. The physician is citing things that could kill a person, and which s/he therefore feels are reasons to pay the ransom. While patient confidentiality is extremely important, it isn't life-threatening, and in this case has already been compromised (so can't be protected by paying).

Legislation requiring the beefing-up of information security/privacy measures might be part of an issue option. An IRL example would be the Health Insurance Portability and Accountability Act in the United States, which requires the use of technological measures to prevent ransomware infection, and which prescribes mandatory breach disclosure and monetary penalties when breaches occur. In fact, such a law might give the government a direct stake in whether a hospital should pay the ransom...

Candlewhisper Archive wrote:Well in a private hospital, why would the decision to pay lie with the government?

...because the hospital may already be facing fines and penalties prescribed by law, its ability to pay being directly impacted by monies spent on ransoms and the like. The last option in the current draft might have the government bureaucrat proposing a far-reaching privacy law with hefty financial consequences. In effect, hospitals stop worrying about paying ransoms, and begin worrying about paying massive fines instead.

Autonomous Cleaner Bot Cleaners wrote:

Verdant Haven wrote:
I did consider including privacy in there, but in the end I decided against it for the sake of brevity. The physician is citing things that could kill a person, and which s/he therefore feels are reasons to pay the ransom. While patient confidentiality is extremely important, it isn't life-threatening, and in this case has already been compromised (so can't be protected by paying).

Legislation requiring the beefing-up of information security/privacy measures might be part of an issue option. An IRL example would be the Health Insurance Portability and Accountability Act in the United States, which requires the use of technological measures to prevent ransomware infection, and which prescribes mandatory breach disclosure and monetary penalties when breaches occur. In fact, such a law might give the government a direct stake in whether a hospital should pay the ransom...

Candlewhisper Archive wrote:Well in a private hospital, why would the decision to pay lie with the government?

...because the hospital may already be facing fines and penalties prescribed by law, its ability to pay being directly impacted by monies spent on ransoms and the like. The last option in the current draft might have the government bureaucrat proposing a far-reaching privacy law with hefty financial consequences. In effect, hospitals stop worrying about paying ransoms, and begin worrying about paying massive fines instead.

While again, I don't want to go in to patient privacy/HIPAA type stuff specifically in this issue, and we can't assume such laws already exist, I am highly amused by your idea of hospitals fearing the government more than the hackers. I've adjusted option 3 to include elements of your suggestion, and emphasize setting up better defenses against future attacks (of any kind) at risk of governmental punishment.

More generally and to anybody who cares to respond - any further feedback on this one? I'm feeling pretty happy with it.

Speaking of people to fear, how about an underworld solution to an underworld problem? Have a well mannered older gentleman in a fine Italian/Blackacrean suit tell @@LEADER@@ how unfortunate it is that such inscrutable thieves are holding the hospital hostage, but his cousin Vinny can take care of the problem, if the hospital can be relied upon should he need a favor in kind.

The effect line would describe how the orthopedics department has become the @@REGION@@ leader in kneecap reconstruction surgery.

I'm going to go ahead and set this on Last Call. I'm pleased by its current state, and feel like it's about ready to go.

Holler if you see anything blatant!

Lives On-Line has been submitted! Many thanks to everybody for the constructive feedback.