This paper concentrates on the primary theme of Sunnylake deal with the attack? When Hackers Turn to Blackmail in which you have to explain and evaluate its intricate aspects in detail. In addition to this, this paper has been reviewed and purchased by most of the students hence; it has been rated 4.8 points on the scale of 5 points. Besides, the price of this paper starts from £ 40. For more details and full access to the paper, please refer to the site.
Sunnylake deal with the attack? When Hackers Turn to Blackmail
Three commentators offer exper t advice.
by Caroline Eisenmann
Reprint R0910B
are at stake when extortionists shut down a hospital’s electronic medical records system.
ASE S TUDY
When Hackers Turn to blackamail
security sucks, the message read. But we can help u. for 100K cash well insure your little hospital dont suffer any disasters.
“Ridiculous,” Paul Layman said to himself, deleting the e-mail. “The things people try to get away with on the internet!”
Paul, the CEO of Sunnylake Hospital, had been leisurely checking his inbox on a Friday afternoon when he found the illiterate e-mail from an unknown sender. He’d come to Sunny- lake five years earlier with a vision of intro- ducing cutting-edge technology to the small hospital. Paul was convinced that Sunnylake could grow only if it shook off outdated habits and procedures, and that switching from paper records to electronic medical records (EMRs) would improve the quality of care for the hospital’s patients. After a careful search Paul had hired an earnest young man named Jacob Dale to be Sunnylake’s director of IT, and the
two had worked to execute his vision.
The success of the EMR initiative had trans- formed Sunnylake from a backwater commu- nity care center to a role model for small hospitals everywhere. The entire medical staff now used electronic readers to open patients’ files. Many of the doctors had ini- tially resisted the change, fearing that the new technology would divert attention from patients’ signs and symptoms. As time passed, though, even the most devoted of the old school had been forced to admit that EMRs had increased efficiency—for example, by automatically checking for medication errors and drug interactions.
The shining success had turned Paul’s fledg- ling IT department into a valued part of the hospital. The CEO considered EMRs to be his legacy—one that would serve the institution well for years to come.
The implied threat in the e-mail provoked
no anxiety in Paul. He had great faith in Jacob,
HBR’s cases, which are fictional, present common managerial dilemmas and offer concrete solutions from experts.
aroline Eisenmann is a former intern at HBR.
whose custom-tailored shirts and Vandyke beard belied his aggressive energy. While the system was under development, Paul had repeatedly insisted that patients’ privacy was critical. Jacob had calmly and exhaustively explained that making records digital would also make them more secure. Nevertheless, Paul had been nervous when the system went live, but the past three years had qui- eted his doubts. Even though he knew that no computer system was perfect, he felt confident that the network was not in real danger—especially not from an extortionist who hadn’t mastered basic typing skills.
He forgot about the matter over the week- end. But at 8:00 on Monday morning he received another e-mail from the same sender, with a subject line reading We warned u. The message field was blank.
The most difficult day of Paul Layman’s career was about to begin.
Access Denied
“We’ve got a patient going into surgery!” the doctor barked. “I need those records now!”
The intern he was shouting at barely looked up from the device in her hands. She’d been there only a week, the doctor thought, and already she was proving her incompetence. He pulled the EMR reader away from her and impatiently entered his access code. The screen flashed Access denied.
“What is this?” he growled. “I just looked at this patient’s files yesterday!”
IT had designed the network so that records could be accessed only by the doctors, nurses, and administrators who needed them. Today, apparently, something had gone dreadfully wrong. The intern stood, arms akimbo, shak- ing her head. Resisting the urge to bang the device against a table, the doctor stormed down the hall to the IT department. He barely noticed the cluster of worried-looking nurses at their station, or the empty medication carts that should have been making their morning rounds.
At the heart of the department he happened on an unusual scene. A group of disgruntled doctors had gathered outside a glass-enclosed room in which several servers were humming on racks. Inside the room a few IT guys labored frantically. As the doctor drew nearer, he could see that each of his colleagues carried a device flashing the same message: Access denied.
Records for Ransom
Minutes later, Jacob was in Paul’s office when the third e-mail arrived. In complete silence the two stared at Paul’s computer screen. We bet u want your stuff back. probly shud have protected it better. for the small price of 100K well make this go away.
“What the hell is going on?” Paul de- manded. “I’ve got doctors rioting in the halls.” “This is some kind of system-wide ransom- ware,” Jacob muttered. “Instead of holding up a couple of people for 50 bucks a pop, these guys are holding up the whole organization. They want $100,000 for the decryption tool.” His entire team was at work trying to restore the system. The programming that normally allowed only selective access to records had been altered to allow no access at all. Even
the system administrators were shut out. “How did they get into our system?”
“Maybe through an individual user’s ma- chine,” Jacob replied. “Someone here might have thought he was downloading antivirus software—or updating an existing application.” “One idiot on our staff could have caused this entire mess?” Paul realized in a sickening instant that Sunnylake’s IT department was simply not big enough or sophisticated enough to handle such a devastating problem. Over the past three years technology security had advanced significantly, but somehow Sunny- lake had not kept up. Only days earlier Paul had been confident that the system was virtu- ally impossible to infiltrate. Now he had to face the horrifying reality that it had been too
weak all along.
Complete records were backed up on the network, so patient information wouldn’t be utterly lost. But Sunnylake currently had no way of delivering those records to doctors who urgently needed them for patient care. The hospital was about to come to a standstill.
“This is —” Paul paused, at a loss for words. “Really bad. Really, really bad.” He looked at Jacob.
The IT director’s eyes had narrowed, and his expression was ferocious. “What kind of slime hacks a hospital?” he demanded of the screen. “Don’t they care about hurting sick people? You think you’ve seen the worst, but these people get lower all the time.”
“From what I’ve heard, hackers don’t ex- actly subscribe to a moral code,” Paul said, suppressing an urge to shout at Jacob. “They
must have realized that our dependence on these records makes us particularly vulnera- ble. If you take down a normal site for a few hours, the company probably loses money. Maybe even a lot of money. But if you take records away from a hospital, the staff might end up hurting the patients it works so hard to protect. This isn’t just a question of money anymore. We have human lives at stake.”
“My people are fighting this with every- thing we’ve got,” Jacob responded defensively. “Given enough time, we can regain control of the system. Then we’ll upgrade security to make sure nothing like this ever happens again. We’ll install a network-based infection detection system. From now on, just warding off intruders isn’t enough.”
“The question is, When can we win?” Paul said quietly, holding down his frustration. “We can’t go without records much longer.”
“This is the digital equivalent of hand- to-hand combat,” Jacob replied. “We know the system better than these people do, but they have the advantage of surprise. I just can’t tell you when we’re going to win. There isn’t a quick fix for a problem like this.”
Paul nodded toward the screen. “They’ve offered us a quick fix,” he said.
“You’re not seriously considering paying these guys, are you?” Jacob asked incredu- lously. “If we pay once, we’ll be a target forever. Don’t do it. It’s not right. We can beat these guys, Paul. Just give me some more time.”
A Ticking Bomb
“Paul, we need to make this go away,” said Lisa Mankins, Sunnylake’s head legal counsel. Her hair was pulled back smoothly, and she was dressed as usual in an austere pantsuit, but Lisa looked as if she’d just undergone hours of torture.
After the hackers’ latest e-mail, IT had man- aged to restore the system twice, only to have it crash minutes later. Despite the depart- ment’s best efforts, Jacob explained, the hack- ers kept regaining access. Most of the staff was beginning to look emotionally drained. The hospital had ordered all doctors to write paper nursing orders and prescriptions for the time being. The younger doctors, who’d always re- lied on EMRs, were baffled by the concept. Even some of the older ones had forgotten how to scratch out “500 mg Amoxicillin” legibly.
Paul had called Lisa into his office to talk about damage control.
“Our legal exposure in this kind of situation is mind-boggling,” she said. “The longer this goes on, the bigger the risk. Literally every sec- ond is a liability. Doctors are resorting to old paper records for the most urgent cases, but those records are way out of date. Earlier this afternoon we treated a patient with medicine he was allergic to. Luckily, his reaction was mild—but we may not be so lucky next time.”
Lisa paced back and forth in front of Paul’s desk. “We have to assess our options. It doesn’t look to me like IT can fix this problem fast enough—if at all.”
“The way Jacob explained it to me, IT needs a certain amount of time to regain control,” Paul said. He had tried all morning to preserve his confidence in Jacob’s ability, but it was be- ginning to fade. Each time the system was re- stored, hope had soared in Paul’s chest, only to crash again when Access denied reappeared on every screen.
“We don’t have that time,” Lisa insisted. “You know that.” After a moment of silence she spoke again, her face tight. “We have a budget for this kind of thing, you know. An acceptable- loss budget. We have insurance that covers IT risk and the money to pay these guys. Malprac- tice suits could cost this hospital hundreds of thousands of dollars in legal fees alone—and possibly millions in damages. A hundred thou- sand bucks pales alongside the losses we might face if we wait this out. I think it’s practical— even moral—to pay the ransom. The longer we wait, the more we risk seriously hurting our patients and ourselves.”
“I don’t like the idea,” Paul said. “Not at all. It’s unprincipled to reward extortion. It would just encourage these people, and maybe lead to other attacks on other hospitals.” He paused. “But it might be all we’ve got.”
Lisa had barely left his office before George
Knudsen, the chief of staff, stormed in.
“When are you going to fix this?” he de- manded. “Do you have any idea what this will do to our reputation if some newshound gets wind of it?” George was a grizzled and intimidating fixture at Sunnylake. He’d been there for years when Paul arrived, and might well outlast him. The two had butted heads over the introduction of EMRs, but had been cordial since the initiative’s success. George looked anything but cordial now.
our legal exposure in this kind of situation is mind-boggling,” she said. “Literally every second is a liability.”
“Everyone is working as hard as possible,” Paul replied. “It’s been tough for all of us.”
“I don’t think you know how difficult it’s been,” George said angrily. “You wouldn’t know that unless you had to treat patients while wondering whether you were actually doing them harm. You wouldn’t know that unless you were afraid of breaking your oath just because some young computer geek thought his system was a whole lot stronger than it actually is.”
“George, you know how good the elec- tronic system has been for this hospital,” Paul retorted, alarmed by the older man’s fury. “You admitted it yourself.”
“I didn’t know what kind of cost we were going to pay!” George roared. “You’re making your entire staff look incompetent—or worse! Paper might have been slow, but it was reli- able. If you don’t fix this soon, Paul, I’m never touching one of those damn devices again. And I know plenty of others here who will feel the same way.” He stalked out.
Paul lay on his back on the sofa in the staff lounge, staring up at the half-lit ceiling. It was
1:00 am. The IT team was still in the hospital, waging cyberwar with the unseen adversary. The pattern of brief victory followed by defeat had continued into the night. Jacob had tried every online decrypter he could find; his team
Paul clenched his eyes shut. He kept seeing cinematic images of Allied code breakers bat- tling the Germans’ Enigma machine. Sunny- lake’s situation felt every bit as urgent. Try as he might, he couldn’t clear his mind and let himself fall asleep. Crushing guilt, a sense of responsibility for all that had passed that day, pressed down on his chest.
Even after three years of success, during which the staff had almost without exception come to appreciate the efficiency of EMRs, Paul could clearly remember how hard he’d had to fight to get the system installed and accepted. Unless he could resolve this crisis quickly, he would lose all the ground he had won. The doctors at the hospital had been a stubborn, resistant lot at the outset, and George Knudsen wasn’t the only one who would snap into I-told-you-so mode. It might be nearly impossible to get them to trust the system—or him—again.
If he paid the hackers—just this once— Sunnylake could make security the number one priority and ensure that nothing like this ever happened again. Paul rolled over, sighing. Was he actually considering paying extortion money to these criminals?
How should Sunnylake deal with the
attack? Three commentators offer expert advice.
was fanned out across the hospital, scanning
computers for leads.
See
Case Commentary
Case Commentar y
by Per Gullestrup
How should Sunnylake deal with the attack?
The first step should be to hire an emotionally neutral negotiator who can open a dialogue with the hackers.
Distasteful as it may sound, I would suggest that Sunnylake Hospital go ahead and pay the ransom demanded by the extortionists. (This assumes, of course, that the threat is real and that there is a verifiable risk to patient health.) That may well be the only way that Paul Lay- man can keep Sunnylake’s patients from harm and avoid the massive liability risk that Lisa Mankins, the head counsel, so fears.
Why would I recommend this? As a CEO, I had to deal with an analogous situation in November 2008, when Somali pirates in the Gulf of Aden attacked a $15 million ship belonging to the Clipper Group. The pirates held its 13 crew members hostage for 71 days. I led the emergency response team that was charged with ensuring the safety of the ship and crew.
Dealing with extortion is not part of a CEO’s job description. In our case, the criminals held all the cards. During the showdown I learned that Somali piracy is a well-run busi- ness that includes a number of actors and investors. Though the pirates can make life unpleasant for the hostages, harming them is out of the question—that would be death to the pirates’ business model.
The pirates knew that time was on their side. If we chose not to pay, they would simply hang on to the ship and crew; their well-honed system makes it easy to continually resupply the ship. (Although Danish law prohibits pay- ing ransom to terrorists, there is nothing to prevent a shipowner from paying pirates.)
No CEO can hold out indefinitely against constant hammering by desperate relatives, an anxious press, and demanding politicians—it’s simply not sustainable. In the end, we had no choice but to pay the millions of dollars the pi- rates demanded. (Insurance covered the cost.)
In Paul’s case, the first and most important step should be to hire a good, emotionally neutral negotiator who can open a dialogue with the hackers and keep them involved in conversation, so that they will be unlikely to do even more mischief.
As the process moves forward, the negotia- tor can pass information between the two sides, while Jacob Dale’s IT team works on getting the system running and then beefs up the security and emergency plans it should have had in the first place. Meanwhile, the police and forensic specialists can try to track down the criminals and put a stop to their enterprise.
Once negotiations are in play, every- thing turns into a chess game. The negotia- tor and the emergency team can work out terms and logistics. When an agreement has been reached, the money is dropped and the whole episode is over.
Another question is, What about the media? Chances are good that reporters will some- how find out about what has happened at Sunnylake. In our case, we decided to deal with the media very directly in order to help raise awareness of the threat that Somali pirates pose.
If shipowners come to understand the pi- rates’ business proposition and are ready to do the hard negotiation necessary, they will be much better equipped to deal with the threat. During the negotiation process, we learned a great deal about where the ransom money goes and how it is used—and the au- thorities are now putting that information to good use.
Per Gullestrup ([email protected]) is the presi- dent and CEO of Clipper Projects in Copenhagen.
Case Commentar y
by Richard L. Nolan
When Hackers Turn to Blackmail • HBR CASE STUDY
How should Sunnylake deal with the attack?
Paul needs to provide full disclosure to his various constituents: employees, board, patients, and the public.
This case is an example of the kind of attack to which every organization, small or large, is now vulnerable. All organizations depend on technology; none are immune to the hordes of people around the world who seek to disrupt their operations—sometimes just for the fun of it and frequently for malicious reasons or personal gain.
This means that the CEO and the board are responsible for “good business judgment” in guarding against the threat. Paul’s first mistake was to dismiss the original e-mail message. All IT threats should be taken seriously; had he had his wits about him, he would have let Jacob Dale know about it immediately. No IT system is “bulletproof.”
Moreover, organizations need a plan for when they are unsure of the extent to which their systems have been compromised. Sunny- lake should have had a workable, fully tested backup system to ensure uninterrupted pa- tient service and protect everyone affected. Doctors and nurses are trained to diagnose, problem solve, and dynamically treat their patients. IT systems facilitate, but are not substitutes for, patient treatment. The fact that the hospital did not have up-to-date secu- rity software installed, or a reliable security outsourcer and an emergency plan in place, is inexcusable.
As bad as it seems, this crisis is easier to deal with than other, vaguer threats (such as robotlike software programs that randomly alternate between dormancy and sabotage or stealing customer data), because Sunnylake knows there has been an intrusion: Someone seems to have changed the access security.
So what should Paul, the CEO, do? First, he had better get off that sofa and give up the vain hope that IT can restore the system and get the hospital running again. When hospi- tals in CareGroup, a team of health-care pro-
fessionals in eastern Massachusetts, experi- enced a similar situation in 2002, the CEO, the CIO, doctors, nurses, and the support staff began operating just as they had in the 1970s, before their integrated EMR system was in- stalled. The professionals who remembered what that was like coached those who had always depended on computers. As John Halamka, the CIO, told his board, “The good news is that health care did not suffer.”
Paul should also be in high communication mode with all of his constituents. He should understand that in today’s networked environ- ment there are absolutely no secrets. Any IT breach forces an organization to ask, How much should we disclose about this threat? In this situation Paul needs to provide full dis- closure to his various constituents: employees, board, patients, and the public.
In no way should he acquiesce to the de- mands of the extortionists. There is no guar- antee that they haven’t embedded further corruption in the system. The code needs to be examined line by line and thoroughly cleansed. The hospital’s network infrastruc- ture and other IT systems must be analyzed for possible corruption and protected with updated security software.
Finally, Paul needs to face up to the fact that he may lose his job. After all, he is responsible for all the strategic resources of the hospital, including IT. The board should also be held accountable for the lack of strategic oversight.
Sunnylake Hospital’s case offers an advance warning about a very serious emerging prob- lem for all chief executives and their boards.
Richard L. Nolan ([email protected]) holds the Philip M. Condit Chair at the University of Washing- ton’s Foster School of Business. He is a coauthor, with Robert D. Austin and Shannon O’Donnell, of Adventures of an IT Leader (Harvard Business Press, 2009).
How should Sunnylake deal with the attack?
IT needs to run a malware scan on every workstation in the hospital.
If you’ve festooned the windows and doors of your network with garlic, hung up mirrors and crucifixes, and splashed everything with holy water in the form of firewalls, antivirus soft- ware, and so on, you’ll probably be safe from vampires—hackers or malware. But in this case, preparations for a security breach were lacking, and some gumball—possibly some- one shopping online from a computer con- nected to the network—may have let the vam- pire in.
Unfortunately, data security is an after- thought in many hospitals. Recently I walked past a hospital’s information kiosk, which was supposed to be staffed by a volunteer. The computer was on, the screen was lit up, but nobody was around—a gross violation of U.S. law protecting patient privacy.
At Sunnylake the system keeps crashing be- cause the attackers find a new way in every time a fix happens. This may be because the malware—the evil program that facilitated the breach in the first place—has relayed a message back to the hackers, letting them know what Jacob and his team are doing.
If Paul had let the IT people know the mo- ment the first nasty message arrived, they could have taken the system off the internet immediately, ensuring that a rogue program related to the attack couldn’t get in from out- side. This would also have blocked any back doors the hackers had created.
Next, they should have verified that the bad guys had actually gained access to the net- work. It’s not unusual for an extortionist to send a threatening message in hopes of scar- ing the recipient into a payoff. Jacob and his team should have checked the system logs to see if changes had occurred. If they had reacted immediately, they could have fore- stalled the second e-mail or additional pene- trations.
How can IT fix the network? First, the
system administrators need to regain their
passwords and recover control. At the risk of getting technical, this means shutting down servers, performing a secure delete on all the server disks by deleting and overwriting with random data, restoring the servers and the data, and making sure the security programs are fully updated and operational. IT needs to run a malware scan on every workstation in the hospital, in case the attack came via an employee computer. Though labor-intensive, this scan is critically important.
What about the extortionists? The e-mail messages offer some tantalizing hints as to their identity. The use of the abbreviation “u” for “you” suggests a young person or a foreign national with poor English skills or an ama- teur who downloaded the attack program from the internet. It’s also possible that the bad guys are quite intelligent—and it’s always safer to overestimate hackers’ skills. They may not even be “outsiders.” A vengeful employee or patient who happens to pass by an unat- tended workstation can do plenty of damage. Before reconnecting to the internet, Sunny- lake should watch what happens for 24 hours. If the attackers are insiders who retained ac- cess to the system, they may try to get in again. Even if Paul hires a security consultant, which is a step I would recommend, it’s un- likely that the hospital will find the attackers. Still, the consultant can help build a profile of the attackers, improve security, and train key personnel, so that Sunnylake can protect
itself in the future.
P LQ WKH FRXUVH