When Hackers Turn to Blackmail (HBR Case Study and Commentary)

Sunnylake Hospital is being held up by online extortionists who have blocked access to its electronic medical records and are demanding $100,000 to restore it. Paul Layman, Sunnylake's CEO, didn't take their first e-mail seriously, and now the hospital has ground to a halt. Paul's golden-boy IT director can't seem to outwit the hackers. Sunnylake's legal counsel tells Paul, "Literally every second is a liability." The chief of staff is in a mutinous fury. What should Paul do? Three experts comment on this fictional case study in R0910B and R0910Z. He should pay the extortionists, advises Per Gullestrup, the CEO of Clipper Projects, who in late 2008 was closely involved in negotiations with Somali pirates who had seized a Clipper Group ship. But first Paul should hire a negotiator to prevent the extortionists from doing further mischief. He should absolutely not acquiesce, says Richard L. Nolan, a professor at the University of Washington's Michael G. Foster School of Business, because the hackers may have embedded further corruption in the system. And Paul must communicate fully with the staff, his board, patients, and the public. Peter R. Stephenson, chairman of the department of computing at Norwich University, recommends shutting down the servers, running a malware scan on every workstation in the hospital, and watching what happens for 24 hours, in case the extortionists are insiders.

• Information management
• IT management