Today in health it to pay the ransom or not to pay the ransom. That is the question. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator this week health. Set of channels and events dedicated to transform healthcare. One connection at a time. We want to thank our show sponsors who are investing in developing the next generation of health leaders. Notable service now, enterprise health parlance. Certified health and Panda health.

Check them out at this week. health.com/today. This new story and every new story we talked about on the show, you can find it this week. health.com/news. Check it out. Let's see. Hey, one last thing, share this podcast with a friend or colleague use it as a foundation for mentoring. That is what we are driving this year. We hope you will have conversations about the topic or agree with me.

Disagree with me. That's not the point. The point is that you are having conversations with the next generation. And sharing your wisdom and experience. They can subscribe wherever you listen to podcasts. All right. Yesterday was a really long episode of the today show. Today will be a very short episode of the today show.

I promise. So article I'm looking at, I'm looking, I'm referring to two articles. First one is from the ABA banking journal. That's right. Contributed by drugs to Ford. We go, the great thing about our site is we go all over the internet and find these articles and pull them in for you to read. And we find the ones that are relevant to just, you. In health, it, this one, even though it's from the ABA banking journal, his proposed bill would block large ransomware payments. Bye. Financial institutions, the proposed ransomware and financial stability act aims to introduce measures for financial institutions in response to ransomware attacks, mandating them to notify the treasury department before making any ransomware payments. And to obtain law enforcement approval for payments exceeding a hundred thousand dollars sponsored by house financial services committee, chairman Patrick McHenry. And representative Brittany Peterson, the bill targets, financial markets, utilities, large security exchanges, and critical technology service providers to banks. Aiming to strengthen the financial sectors resilience against cyber threats.

Additionally, it protects sensitive information. Reported to law enforcement from public disclosure. With certain exceptions reinforcing the security and privacy of the reporting process. All right. So you have that story. And I'm not going to go into it, but essentially. The change healthcare, you can find this on tech crunch.

I believe. The change healthcare preach story takes another turn in that they have leaked. The information or at least a portion of the information. That the hackers had. And this gets us to the question to pay the ransom or not to pay the ransom. It's interesting. When we have 2 29 events, we have 15 CIO or CISOs sitting around the table from time to time, I will do quick polls. And one of the quick polls I like to do is will you pay the ransom? If you are ransom as a health system.

And it's interesting. The thing that's encouraging now is a majority of the health systems around the table will say we've already made a decision. Of what we are going to do, we've talked about it and we have put the things in place to make the right decision. There's a process. There's a. Whatever, there's a framework for making that decision. I think that's the first step far and away.

That's the first step. If you haven't done that, you should have the conversation because if you plan to pay the ransom and don't know how to get to cryptocurrency, Then you really haven't put a plan in place for what you're going to do in that event. And you don't want to be making that decision during that event.

So that's just the first thing you just outright have to. Have the discussion with leadership potentially it's a board discussion, but most likely it's not. It's an operational decision. It's a leadership decision. What are we going to do? And your job as a security officer or as a. CIO or leader in the organization is to frame this up in a way that they understand this is how this would come down.

This is how you would get the request for the money. This is where the money would go. This is what they would send in return. This is the likelihood that would actually work in order to restore the information. Them not utilizing the information at a future date to extract more money. You have to set up that whole thing so that they understand what decision they're making.

Now we get to, But by the way, that's the encouraging part. The discouraging part is the number of people who say these words, it's a game time decision. And I understand why they're saying that they're seeing that because it, it depends essentially that answer is it depends. It depends how wide ranging the attack is.

It depends what they've taken down. It depends. You know how extensive it is to the operation of the health system? It depends what, what is going on at the time. Whether they will pay the ransom or not pay the ransom. I think that decision is going to more and more get taken out of your hands. And I think you will see bills like this, the. Ransomware and financial stability act.

You're going to see a similar act, be passed for healthcare that essentially takes it out of your hands. And you have to talk to. People within the federal government in order to make these payments to these, the. To these terrorists essentially either. They're holding hospitals hostage.

They are. Stealing information, they were locking down our hospitals. They are terrorists. If somebody walked in the front door and shut down a hospital, we would call them. Terrorist. If they're doing that. With cyber attacks, they are still terrorists. No matter how you look at it. And so the question becomes to pay or not to pay and that the change healthcare situation is the biggest risk, which is like you pay. And even if you can restore. It doesn't necessarily mean that you're out of the woods. It just means that you were able to restore and to keep functioning. But at the end of the day, you still have to do all the necessary work to ensure that you're still not infected, that you still, that they are still not present in your network.

You still have to secure the environment. You still have to install. Something or bring in third party, you still have to do all those things anyway. And that comes back to that. That classic, where they ransomed Caesars and they ran some to MGM didn't pay Caesars. Did. And who is better off.

It's really hard to say. MGM. It costs them far more than the 10 million or whatever it was. That was the ransom. To completely clean out the environment, but they were going to have to do that anyway. And Caesars was up and running a lot quicker. Eh, they still had to do all that work.

And at the end of the day, was the information safe or was it not safe or the high rollers for both organizations at risk? Today. And that becomes it. So you pay any, you're able to restore operation, maybe that is worth it to you. But you still haven't protected the data because the data. Is still at risk because they were in inside your environment at the deepest levels of these far enough to lock everything down.

Therefore they probably had access to the information. I would really like to hear more houses. Some say, we're not going to pay the ransom. And we're not going to pay the ransom because we don't want to continue to put ourselves at risks at a future date. And we don't want to be the target for future ransomware attacks.

And if you. Establish yourself as somebody who's not going to pay the ransom. First of all, you have to secure your borders to make sure I secure your environment. It's not the borders anymore, but it's secure your environment. And second of all, you are communicating to the world that you will not be ransomed.

It's the only way. To keep they want money. They only profit. If you give them the money and if you don't give them money, The theory goes that they will stop doing it. They're not doing it. For to really wreak havoc, which I guess is the argument for them not to be considered terrorists. They're really thugs. Who are robbing your bank, they're coming after your accounts. So I'd like to see more people saying, no, we're not going to pay the ransom and do the appropriate work to make sure that they never have to pay the ransom. Anyway.

I said it would be short that's all for today. Don't forget. Share this podcast with a friend or colleague mentor someone. We want to thank our channel sponsors who are invested in our mission to develop the next generation of health leaders. Notable service now, enterprise health parlance, certified health and 📍 Panda health.

Check them out at this week. health.com/today. Thanks for listening. That's all for now.