Online First

JANUARY 2, 2025

Just Say No to Paying Cybersecurity Ransoms

Originally published by our sister publication Specialty Pharmacy Continuum

By Marcus A. Banks
Health systems and other sites of care should never pay a ransom demand from a cyberattacker, even if that seems to be the most expedient way to get back into business, an internet security specialist warned during a presentation at the NASP 2024 Annual Meeting & Expo, in Nashville, Tenn.

Some insurers will encourage paying a ransom, knowing they will have ways to claw back that money later, noted Carl Mazzanti, BSBA, the president of information technology consulting firm eMazzanti Technologies, in Hoboken, N.J. But this just means that the site of care will be seen as an easy mark vulnerable to future ransom demands later, he stressed.

“If an insurer says to pay a ransom, your response should be to say ‘thank you for your guidance’ and show them the door,” he said.

Mr. Mazzanti added that it’s far better to plug whatever holes the cyberattacker exploited, even if this leads to a temporary halt in operations, rather than to pay and encourage further extortion.

As for actually preventing these attacks from crippling your operations, one key area to consider is the proper use of passwords. For a long time, strong passwords were viewed as the first line of defense against cyberattacks—perhaps 16 or even more characters, with a combination of letters, numbers, symbols and text in both upper- and lowercase. But Mr. Mazzanti said this approach will not cut it.

“Passwords are dead; they really are,” he argued, because few people like using strong passwords, and instead end up using the same easily crackable password across multiple applications. A better approach is multifactor authentication, which typically involves someone typing a password and then receiving a PIN to their mobile device, which they must enter to access a database or website. Many insurers require multifactor authentication, Mr. Mazzanti noted, and may not pay damage claims from a cyberattack without it.

“If you layer a bunch of [cybersecurity strategies] on top of each other, it works,” he said. This includes using automated and artificial intelligence–backed tools such as SIEM/SOC (a Security Information and Event Management/Security Operations Center) that help prevent data breaches. SIEM/SOC also will issue alerts about ongoing cyberattacks, hunt for threats and report on any other vulnerabilities in your digital environment.

Pharmacists also should conduct penetration tests, available for free from the Department of Homeland Security, to determine whether critical servers are susceptible to a cyberattack, Mr. Mazzanti said.

He cited a final prevention strategy: restricting access to internet content based on the user’s geographic location. Known as geoblocking, [“it’s] free, but very few people do it.”

Mr. Mazzanti ended his presentation by encouraging attendees to share these strategies with others at their organizations, noting that it’s human decisions that ultimately determine whether a cybersecurity plan fails or succeeds.

Mr. Mazzanti reported no relevant financial disclosures beyond his stated employment.