Not paying the ransom would have cost much more
Since relaying that the insurance company negotiated and paid the ransom for keys to unlock crucial computer data, the question has arisen as to why the decision was made to have the insurance company pay. The decision, while weighty, was quite simple. In the news recently are tales of businesses that chose not to negotiate with the ransomware attackers, and many of those businesses are still non-functioning weeks and months later. We need crucial systems up and running to take care of the patients of the Estes Valley. While we were able to construct “work arounds” to provide some services for a short period of time, that model was not sustainable.
Having crucial computer software non-functioning is not an option for Estes Park Health, in the patient care area or in financial viability. Estes Park Health is going into our busy summer season and we rely heavily on this summer business to maintain our financial stability. We have part-time residents returning that need to see their physicians, and we need to be available for our over 4.7 million anticipated visitors. We simply can’t be “out of order.”
It’s also important to consider the possible risks to the health of the people in Estes Park. Time is critical in some circumstances and delaying care for days or weeks puts our population at risk. In extreme cases, not having essential services available in the Estes Valley could cause patients to have to travel elsewhere for care and possibly put lives at unnecessary risk.
There are rumors circulating about the fiscal responsibility of having the insurance company pay the ransom in this matter. Estes Park Health is responsible for the deductible amount which is $10,000. We had purchased cyber insurance for just this type of event, and it is working in our favor. We have our doors open, we are providing much needed services, and we are caring for our patients – and have been since Monday, June 3. An ongoing closure would have cost this community much more than $10,000. Estes Park Health generates more than $90M in gross revenues. That equates to approximately $247,000 per day of operations and more than $10,000 per hour. Without getting those cyber keys and unlocking the system, we would have lost much more than the deductible amount.
Though the FBI would prefer that organizations not pay a ransom, as the key medical provider in the Estes Valley, we had to weigh the value of not paying against the value of paying. By paying, we have been able to restore almost all services in a matter of a just few days. Had we not paid, it would have taken weeks, at best, to build the network and applications. In addition, some data that was locked may have been lost permanently. Finally, Estes Park Health customers would have faced much greater challenges getting their medical services.
Because of the dedication of the Estes Park Health IT Department, we can continue to report that no patient, financial, or employee information was copied or removed from our system. Most importantly, patient safety and care were never at risk because of the professionalism of the entire staff. In fact, it’s quite comforting to know that there are protocols and procedures in place to handle emergency situations at Estes Park Health, and they work well.
Estes Park Health appreciates the outpouring of concern for our staff. We are going strong. Our patients mean everything to us, it’s why we’re here; so, we consider this merely a pothole in the road to a long journey of serving the Estes Valley with safe, quality, and patient-centered care.
Thank you and please let me know if you have any questions.
Larry E. Leaming, DHA, FACHE
Chief Executive Officer