Electronic Health Records & Ransomware: To Pay or Not to Pay - Is that the right question?

The most recent ransomware attack to impact a healthcare organization comes from Cass Regional Medical Center in Harrisonville, Missouri. The organization experienced a ransomware attack July 9, 2018. The attack targeted the organization's communication system and prevented staff from logging onto Meditech, the facility's electronic medical record (EHR) system.

Healthcare organizations must consider the risk of a ransomware attack in the annual security risk assessments (SRA) and make plans regarding how they will respond. To pay or not to pay the ransom, that is something that should be considered in advance. In the moment, with access to the EHR and other systems locked down, patient data inaccessible, the panic of the situation and lack of prior planning may lead to a rash decision to pay, which is not necessarily the best choice.