author photo
By Clare O’Gara
Mon | Oct 7, 2019 | 7:57 AM PDT

Would you agree to surgery in a hacked hospital?

Three hospitals in Tuscaloosa, Alabama, agreed to proceed with surgeries despite a ransomware attack impacting digital systems. 

New patients? No. Surgeries, sure.

WSFA 12 News covered the initial decision:

A statement says backup procedures will allow workers to provide safe and effective care.

The company has temporarily stopped accepting new patients at its hospitals in Tuscaloosa, Northport and Fayette because of a ransomware attack that began affecting computers early Tuesday.

New patients are being sent to Birmingham hospitals or elsewhere.

The ransomware attack happened at DCH Health Systems, which runs the hospital system in the region.

Hospital system pays the attacker ransom

Backup medical procedures were apparently enough for patient care, but data backups must have been no match for the cyberattack.

According to WBMA, the hospitals agreed to pay a ransom to the hackers: 

Saturday it had gotten a key to unlock its computer systems.

A statement from DCH Health Systems didn't say how the three-hospital system got the information needed to unlock its data. But The Tuscaloosa News quoted spokesman Brad Fisher as saying the hospital system paid the attackers.

"For ongoing security reasons, we will be keeping confidential specific details about the investigation and our coordination with the attacker."

Ransomware: to pay or not to pay?

Paying ransoms to cybercriminals is a highly contested discussion in the cybersecurity and law enforcement community. 

And in ransomware cases, the victims always have a reason behind their choice to pay (or not pay). 

When the City of Baltimore got hacked earlier in 2019, city officials decided not to pay the attacker. Mayor Jack Young explained the choice:

"Well, first, we've been advised by both the Secret Service and the FBI not to pay the ransom. Second, that's just not the way we operate. We won't reward criminal behavior. If we paid the ransom, there is no guarantee they can or will unlock our system."

But not every victim makes that decision. 

Riviera Beach, Florida, faced the same problem. Ultimately, they decided to pay $600,000 to reclaim their data, and in a unanimous vote. City manager Deirdre Jacobs put it like this:

"Payment of the ransom would provide a mechanism to the city to retrieve all of the city's files and data which have been encrypted. And hopefully return the city's computer network to being fully operational."

Back to the most recent case, what do you think about the decision by DCH Health Systems? Let us know in the comments below.

[RELATED: Here's another example of a hospital paying a hacker's ransom to restore systems.]