Lessons learned by ECMC after surviving a cyberattack

Aug 1, 2017

A cyberattack on the Erie County Medical Center's computer system could end up costing the hospital millions of dollars. As WBFO's Chris Caya reports, ECMC decided to bear the cost rather than paying a ransom.

ECMC on Grider in Buffalo.
Credit WBFO News file photo /

The hackers who got into ECMC's computer system were looking to make $30,000. But hospital CEO Thomas Quatroche said ECMC decided not to pay the ransom based on three factors.

"I think number one was the fact that we did have backups. It's an individual decision if you have backups you don't necessarily have to pay. Number two, you make yourself a target, from what we hear from the professionals. You know they could up the amount. You just never know what they're going to do. And third, it was an integrity issue for us. We didn't want to pay criminals," said Quatroche.

Quatroche said earlier in the year ECMC increased its cyber-security insurance so the $10 million cost of dealing with the attack, including increased overtime, should be covered. He said lessons learned include: preventing cyberattacks is as much about human behavior as it is about technology. And now each employee must use longer passwords.

"We've learned to behave differently so that we can protect ourselves better. And it's a little inconvenient. But at the end of the day, we're better protected," noted Quatroche.

ECMC CEO Thomas Quatroche.
Credit WBFO News photo by Eileen Buckley

Other than slowing things down a bit, Quatroche said, thanks to the ECMC family, the attack didn't really affect patient care. But he said it should be a wake-up call for other hospitals and businesses. 

"I think every organization should really test being totally down. I mean the computer basically being a paperweight. So we've learned that lesson and I think a lot of other organizations will heed that advice," explained Quatroche.