Case Study: When Hackers Turn to Blackmail 1. The introduction of Sunnylake hospital case The use of information technology in business presents major security challenges, poses serious ethical question, and affects society in significant ways. Especially, the computer crime is a growing threat to society and is caused by the criminal or irresponsible actions of individuals who are taking advantage of the widespread use and vulnerability of computers and the Internet and other networks.
It presents a major challenge to the integrity, safety, and survival of most business systems. Once Sunnylake Hospital was a backwater community care centre, while Paul, the CEO of Sunnylake had come to the hospital five years earlier, the situation of Sunnylake Hospital changed. Because he introduced cutting-edge technology to the small hospital. Paul was convinced that Sunnylake could grow only if it shook off outdated habits and procedures, and that switching from paper records to electronic medical records (EMRs) would improve the quality of care for the hospital’s patients.
After a careful search Paul had hired an earnest young man named Jacob Dale to be Sunnylake’s director of IT, and the two had worked to execute his vision. The success of the EMR initiative had transformed the hospital to a a role model for small hospitals everywhere. One day Paul received an illiterate extortion e-mail from an unknown sender, but he did not realize the implied threat in the e-mail. He had great faith in Jacob and the IT system. While after Paul received another e-mail from the same sender, the dangers came out. Sunnylake had no way of delivering records to doctors.
The hospital was about to come to a standstill. Meanwhile the third e-mail arrived, Paul and Jacob knew that this is some kind of system-wide ransom ware, Now Paul had to face to a difficult choice, to give $100,000 or not. This is not just a question of money anymore. They have human lives at stake. Jacob said to Paul“ if we pay once, we’ll be a target forever. Don’t do it. It’s not right. My people are fighting this with everything we’ve got and we can regain control of the system. Just give me some more time. ” Whereas Lisa Mankins, Sunnylake’s head legal counsel hold the opposite opinion.
She said to Paul “Our legal exposure in this kind of situation is mind-boggling, The longer this goes on, the bigger the risk. Literally every second is a liability. ”Lisa thought that they should an acceptable-loss budget for this urgent thing and have insurance that covers IT risk and the money to pay these guys. She said the longer they waited, the more they risk seriously hurting their patients and themselves. Now Paul knew that unless he could resolve this crisis quickly, he would lose all the ground That how hard he’d had to fight to get the system installed and accepted.
If he paid the hackers – just this once – Sunnylake could make security the number one priority and ensure that nothing like this ever happened again. Paul rolled over. Was he actually considering paying extortion money to these criminals? 2. How should Sunnylake deal with the attack? Synthesising three experts’ viewpoints and my suggestion, there are four parts that Sunnylake Hospital can adopt. 2. 1 Hiring an negotiator to open a dialogue with the hackers Sunnylake Hospital should pay the ransom demanded by the extortionist.
Because this may be the best way that Paul Layman can protect the patients of Sunnylake Hospital and avoid large liability risk. In Sunnylake’s case the most vital thing should be to hire a good , emotionally neutral negotiator who can open a dialogue with the hackers and keep them involved in conversation, so that they wil not be to do even more harmful things. As the process moves forward, the negotiator can pass information between the two sides, while Jacob Dale’s IT team works on getting the system running and then beefs up the security and emergency plans it should have had in the first place.
Meanwhile, the police and forensic specialists can try to track down the criminals and put a stop to their enterprise. Once negotiations are in play, everything turns into a chess game. The negotiator and the emergency team can work out terms and logistics. When an agreement has been reached, the money is dropped and the whole episode is over. 2. 2 Providing full disclosure to his various constituents The CEO and the board are responsible for “good business judgment” in guarding against the threat. So Paul’s first mistake was to dismiss the original e-mail message.
All IT threats should be taken seriously, and he would have let Jacob Dale know about no IT system is “bulletproof. ” Sunnylake should have had a workable, fully tested backup system to ensure uninterrupted patient service and protect everyone affected. Doctors and nurses are trained to diagnose, problem solve, and dynamically treat their patients. IT systems facilitate, but are not substitutes for, patient treatment. The fact that the hospital did not have up-to-date security software installed, or a reliable security outsourcer and an emergency plan in place, is inexcusable.
So what should Paul, the CEO, do? First, he had better get off that sofa and give up the vain hope that IT can restore the system and get the hospital running again. Paul should also be in high communication mode with all of his constituents. He should understand that in today’s networked environment there are absolutely no secrets. Any IT breach forces an organization to ask, How much should we disclose about this threat? In this situation Paul needs to provide full disclosure to his various constituents: employees, board, patients, and the public.
In no way should he acquiesce to the demands of the extortionists. There is no guarantee that they have not embedded further corruption in the system. The code needs to be examined line by line and thoroughly cleansed . The hospital’s network infrastructure and other IT systems must be analyzed for possible corruption and protected with updated security software. Finally, Paul needs to face up to the fact that he may lose his job. After all, he is responsible for all the strategic resources of the hospital, including IT.
The board should also be held accountable for the lack of strategic oversight. 2. 3 Running a malware scan on every workstation in the hospital At Sunnylake the system keeps crashing because the attackers find a new way in every time a fix happens. If Paul had let the IT people know the moment the first nasty message arrived, they could have taken the system off the internet immediately, ensuring that a rogue program related to the attack could not get in from outside. This would also have blocked any back doors the hackers had created.
Next, they should have verified that the bad guys had actually gained access to the network. It’s not unusual for an extortionist to send a threatening message in hopes of scaring the recipient into a payoff. Jacob and his team should have checked the system logs to see if changes had occurred. If they had reacted immediately, they could have forestalled the second e-mail or additional penetrations. How can IT fix the network? First, the system administrators need to regain their passwords and recover control.
At the risk of getting technical, this means shutting down servers, performing a secure delete on all the server disks by deleting and overwriting with random data, restoring the servers and the data, and making sure the security programs are fully updated and operational. IT needs to run a malware scan on every workstation in the hospital, in case the attack came via an employee computer. Though labor-intensive, this scan is critically important. Before reconnecting to the internet, Sunnylake should watch what happens for 24 hours. If the attackers are insiders who retained access to the system, they may try to get in again.
Even if Paul hires a security consultant, it’s unlikely that the hospital will find the attackers. Still, the consultant can help build a profile of the attackers, improve security, and train key personnel, so that Sunnylake can protect itself in the future. 2. 4 Developing the IT system security tools of Sunnylake Hospital Sunnylake case shows that the security of today’s networked business enterprises is a major management challenge. And vital network links and business flows need to be protected from external attack by cybercriminals.
This requires a variety of security tools and defensive measures and a coordinated security management program. The first tool is encryption which is an important way to protect data and other computer network resources, especially on the Internet, intranets, and extranets. The second important method for control and security on the Internet and other networks is the use of firewall computers and software. The third one is e-mail monitoring because internet and other online e-mail systems are one of the favorite avenues of attack by backers for spreading computer viruses or breaking into networked computers.
Virus defenses are built against the spread of viruses by centralizing the distribution and updating of antivirus software as a responsibility to their department. There are also a variety of security measures that are commonly used to rotect business systems and networks. Such as Security codes, backup files, security monitors. The security tool above can be used by the IT security department of Sunnylake Hospital. 3. Conclusion of the Sunnylake Hospital case As talked above Sunnylake Hospital can take four steps.
The first thing is to hire an negotiator to open a dialogue with the hackers. Then they should Provide full disclosure to his various constituents. The most important thing is to develop the IT security systems by a various of methods. Reference Eisenmann, Caroline (October 2009) When Hackers Turn to Blackmail, Harvard Business Review, Vol. 87 Issue 10, pages 39-48. Commentary by: Gullestrup, Per; Nolan, Richard L. ; Stephenson, Peter R. O’Brien James A and Marakas George M. (2011) Management Information Systems, 10th edition, McGraw-Hill, ISBN: 978-0-07-122109-2.
