Ur network security sucks, the message read. But we can help u. for 100K cash well insure your little hospital dont suffer any disasters.

"Ridiculous," Paul Layman said to himself, deleting the e-mail. "The things people try to get away with on the internet!"

Paul, the CEO of Sunnylake Hospital, had been leisurely checking his inbox on a Friday afternoon when he found the illiterate e-mail from an unknown sender. He'd come to Sunnylake five years earlier with a vision of introducing cutting-edge technology to the small hospital. Paul was convinced that Sunnylake could grow only if it shook off outdated habits and procedures, and that switching from paper records to electronic medical records (EMRs) would improve the quality of care for the hospital's patients. After a careful search Paul had hired an earnest young man named Jacob Dale to be Sunnylake's director of IT, and the two had worked to execute his vision.

The success of the EMR initiative had transformed Sunnylake from a backwater community care center to a role model for small hospitals everywhere. The entire medical staff now used electronic readers to open patients' files. Many of the doctors had initially resisted the change, fearing that the new technology would divert attention from patients' signs and symptoms. As time passed, though, even the most devoted of the old school had been forced to admit that EMRs had increased efficiencyfor example, by automatically checking for medication errors and drug interactions.

The shining success had turned Paul's fledgling IT department into a valued part of the hospital. The CEO considered EMRs to be his legacyone that would serve the institution well for years to come.

The implied threat in the e-mail provoked no anxiety in Paul. He had great faith in Jacob, whose custom-tailored shirts and Vandyke beard belied his aggressive energy. While the system was under development, Paul had repeatedly insisted that patients' privacy was critical. Jacob had calmly and exhaustively explained that making records digital would also make them more secure. Nevertheless, Paul had been nervous when the system went live, but the past three years had quieted his doubts. Even though he knew that no computer system was perfect, he felt confident that the network was not in real dangerespecially not from an extortionist who hadn't mastered basic typing skills.

He forgot about the matter over the weekend. But at 8:00 on Monday morning he received another e-mail from the same sender, with a subject line reading We warned u. The message field was blank.

The most difficult day of Paul Layman's career was about to begin.

Access Denied

"We've got a patient going into surgery!" the doctor barked. "I need those records now!"

The intern he was shouting at barely looked up from the device in her hands. She'd been there only a week, the doctor thought, and already she was proving her incompetence. He pulled the EMR reader away from her and impatiently entered his access code. The screen flashed Access denied.

"What is this?" he growled. "I just looked at this patient's files yesterday!"

IT had designed the network so that records could be accessed only by the doctors, nurses, and administrators who needed them. Today, apparently, something had gone dreadfully wrong. The intern stood, arms akimbo, shaking her head. Resisting the urge to bang the device against a table, the doctor stormed down the hall to the IT department. He barely noticed the cluster of worried-looking nurses at their station, or the empty medication carts that should have been making their morning rounds.

At the heart of the department he happened on an unusual scene. A group of disgruntled doctors had gathered outside a glass-enclosed room in which several servers were humming on racks. Inside the room a few IT guys labored frantically. As the doctor drew nearer, he could see that each of his colleagues carried a device flashing the same message: Access denied.

Records for Ransom

Minutes later, Jacob was in Paul's office when the third e-mail arrived. In complete silence the two stared at Paul's computer screen. We bet u want your stuff back. probly shud have protected it better. for the small price of 100K well make this go away.

"What the hell is going on?" Paul demanded. "I've got doctors rioting in the halls."

"This is some kind of system-wide ransomware," Jacob muttered. "Instead of holding up a couple of people for 50 bucks a pop, these guys are holding up the whole organization. They want $100,000 for the decryption tool." His entire team was at work trying to restore the system. The programming that normally allowed only selective access to records had been altered to allow no access at all. Even the system administrators were shut out.

"How did they get into our system?"

"Maybe through an individual user's machine," Jacob replied. "Someone here might have thought he was downloading antivirus softwareor updating an existing application."

"One idiot on our staff could have caused this entire mess?" Paul realized in a sickening instant that Sunnylake's IT department was simply not big enough or sophisticated enough to handle such a devastating problem. Over the past three years technology security had advanced significantly, but somehow Sunnylake had not kept up. Only days earlier Paul had been confident that the system was virtually impossible to infiltrate. Now he had to face the horrifying reality that it had been too weak all along.

Complete records were backed up on the network, so patient information wouldn't be utterly lost. But Sunnylake currently had no way of delivering those records to doctors who urgently needed them for patient care. The hospital was about to come to a standstill.

Sunnylake had no way of delivering records to doctors. The hospital was about to come to a standstill.

"This is" Paul paused, at a loss for words. "Really bad. Really, really bad." He looked at Jacob.

The IT director's eyes had narrowed, and his expression was ferocious. "What kind of slime hacks a hospital?" he demanded of the screen. "Don't they care about hurting sick people? You think you've seen the worst, but these people get lower all the time."

"From what I've heard, hackers don't exactly subscribe to a moral code," Paul said, suppressing an urge to shout at Jacob. "They must have realized that our dependence on these records makes us particularly vulnerable. If you take down a normal site for a few hours, the company probably loses money. Maybe even a lot of money. But if you take records away from a hospital, the staff might end up hurting the patients it works so hard to protect. This isn't just a question of money anymore. We have human lives at stake."

"My people are fighting this with everything we've got," Jacob responded defensively. "Given enough time, we can regain control of the system. Then we'll upgrade security to make sure nothing like this ever happens again. We'll install a network-based infection detection system. From now on, just warding off intruders isn't enough."

"The question is, When can we win?" Paul said quietly, holding down his frustration. "We can't go without records much longer."

"This is the digital equivalent of hand-to-hand combat," Jacob replied. "We know the system better than these people do, but they have the advantage of surprise. I just can't tell you when we're going to win. There isn't a quick fix for a problem like this."

Paul nodded toward the screen. "They've offered us a quick fix," he said.

"You're not seriously considering paying these guys, are you?" Jacob asked incredulously. "If we pay once, we'll be a target forever. Don't do it. It's not right. We can beat these guys, Paul. Just give me some more time."

A Ticking Bomb

"Paul, we need to make this go away," said Lisa Mankins, Sunnylake's head legal counsel. Her hair was pulled back smoothly, and she was dressed as usual in an austere pantsuit, but Lisa looked as if she'd just undergone hours of torture.

After the hackers' latest e-mail, IT had managed to restore the system twice, only to have it crash minutes later. Despite the department's best efforts, Jacob explained, the hackers kept regaining access. Most of the staff was beginning to look emotionally drained. The hospital had ordered all doctors to write paper nursing orders and prescriptions for the time being. The younger doctors, who'd always relied on EMRs, were baffled by the concept. Even some of the older ones had forgotten how to scratch out "500 mg Amoxicillin" legibly.

Paul had called Lisa into his office to talk about damage control.

" Our legal exposure in this kind of situation is mind-boggling," she said. "The longer this goes on, the bigger the risk. Literally every second is a liability. Doctors are resorting to old paper records for the most urgent cases, but those records are way out of date. Earlier this afternoon we treated a patient with medicine he was allergic to. Luckily, his reaction was mildbut we may not be so lucky next time."

"Our legal exposure in this kind of situation is mind-boggling," she said. "Literally every second is a liability."

Lisa paced back and forth in front of Paul's desk. "We have to assess our options. It doesn't look to me like IT can fix this problem fast enoughif at all."

"The way Jacob explained it to me, IT needs a certain amount of time to regain control," Paul said. He had tried all morning to preserve his confidence in Jacob's ability, but it was beginning to fade. Each time the system was restored, hope had soared in Paul's chest, only to crash again when Access denied reappeared on every screen.

"We don't have that time," Lisa insisted. "You know that." After a moment of silence she spoke again, her face tight. "We have a budget for this kind of thing, you know. An acceptable-loss budget. We have insurance that covers IT risk and the money to pay these guys. Malpractice suits could cost this hospital hundreds of thousands of dollars in legal fees aloneand possibly millions in damages. A hundred thousand bucks pales alongside the losses we might face if we wait this out. I think it's practicaleven moralto pay the ransom. The longer we wait, the more we risk seriously hurting our patients and ourselves."

"I don't like the idea," Paul said. "Not at all. It's unprincipled to reward extortion. It would just encourage these people, and maybe lead to other attacks on other hospitals." He paused. "But it might be all we've got."

Lisa had barely left his office before George Knudsen, the chief of staff, stormed in.

"When are you going to fix this?" he demanded. "Do you have any idea what this will do to our reputation if some newshound gets wind of it?" George was a grizzled and intimidating fixture at Sunnylake. He'd been there for years when Paul arrived, and might well outlast him. The two had butted heads over the introduction of EMRs, but had been cordial since the initiative's success. George looked anything but cordial now.

"Everyone is working as hard as possible," Paul replied. "It's been tough for all of us."

"I don't think you know how difficult it's been," George said angrily. "You wouldn't know that unless you had to treat patients while wondering whether you were actually doing them harm. You wouldn't know that unless you were afraid of breaking your oath just because some young computer geek thought his system was a whole lot stronger than it actually is."

"George, you know how good the electronic system has been for this hospital," Paul retorted, alarmed by the older man's fury. "You admitted it yourself."

"I didn't know what kind of cost we were going to pay!" George roared. "You're making your entire staff look incompetentor worse! Paper might have been slow, but it was reliable. If you don't fix this soon, Paul, I'm never touching one of those damn devices again. And I know plenty of others here who will feel the same way." He stalked out.

Paul lay on his back on the sofa in the staff lounge, staring up at the half-lit ceiling. It was 1:00 am. The IT team was still in the hospital, waging cyberwar with the unseen adversary. The pattern of brief victory followed by defeat had continued into the night. Jacob had tried every online decrypter he could find; his team was fanned out across the hospital, scanning computers for leads.

Paul clenched his eyes shut. He kept seeing cinematic images of Allied code breakers battling the Germans' Enigma machine. Sunnylake's situation felt every bit as urgent. Try as he might, he couldn't clear his mind and let himself fall asleep. Crushing guilt, a sense of responsibility for all that had passed that day, pressed down on his chest.

Even after three years of success, during which the staff had almost without exception come to appreciate the efficiency of EMRs, Paul could clearly remember how hard he'd had to fight to get the system installed and accepted. Unless he could resolve this crisis quickly, he would lose all the ground he had won. The doctors at the hospital had been a stubborn, resistant lot at the outset, and George Knudsen wasn't the only one who would snap into I-told-you-so mode. It might be nearly impossible to get them to trust the systemor himagain.

If he paid the hackersjust this onceSunnylake could make security the number one priority and ensure that nothing like this ever happened again. Paul rolled over, sighing. Was he actually considering paying extortion money to these criminals?

How should Sunnylake deal with the attack?

Read the article above to answer these questions:

https://hbr.org/2009/10/when-hackers-turn-to-blackmail-2#:~:text=Ur%20network%20security%20sucks%2C%20the,%2C%20deleting%20the%20e%2Dmail.

1. Summary of the Facts

This section should present a brief listing of the key facts with page numbers from the case in parentheses, where appropriate. Therefore, there is little room for a long presentation on each fact. Important assumptions should be listed here and labelled as such and to give reasons for making them.

2. Statement of the Problem

This section should start by presenting a concise statement of the major problem or problems. Remember, the more problems you identify, the more solutions will be necessary or the more complex a given solution is likely to be. Some questions to ask when you formulate your definition of the problem are:

1. Have I identified the basic problem(s) or am I dealing with the symptoms?

2. If I have identified more than one problem, are they separate or related?

3. Am I putting myself in the company's shoes and looking towards the future?

3. Problem Analysis

The PROBLEM ANALYSIS is the most crucial segment in the development of a case. It should be a detailed analysis, leading to your alternatives and recommendations. Concentrate on issues discussed in the unit that have caused the problems or managerial concepts that may be used to solve the problems. It should organize the basic issues or factors in the case.

Do not reiterate the case -- this is a waste of time and space.

The analysis should incorporate all relevant material discussed in class and the text. Analytical arguments should be based upon the facts of the case, as well as upon logical and clear-cut reasoning. Use an objective unemotional approach in your analysis. This does not mean that you may not be persuasive in your methods of presentation. A logical grouping of related points will help, as will full development of each point. Give your analysis depth, as well as breadth; substantiate major points with minor points. Be sure that you cover each point adequately be explanation or evidence. Look at concepts like the differing parties affected by the situation.

4. Evaluation of Alternatives

This section should indicate 3 possible solutions. Each solution should include at least three pros and three cons (strong and weak points) that relate to it. Based on your analysis, develop a list of alternatives for resolving the issues or problems you observed in the case. Some alternatives clearly not feasible could be omitted. All other alternatives must be formally evaluated. Determine the yardsticks to measure their feasibility, utility, and risk. It is not enough that a given action will reduce costs. There may be other offsetting disadvantages. For example, lack of capital might prohibit its use.

This section of your analysis should, using course concepts, tell why your solution(s) will work. A major objective of this section is to show clearly how you are applying course concepts to arrive at a workable solution and implementation to the problem you have identified. Be sure to stress the application of course concepts, and underline any course concepts applied during this section.

5. Recommendations

Logical reasoning and evaluations will eventually narrow the several feasible alternatives to the ONE with the least risk and/or the greatest potential reward. This recommendation must solve the problem identified, tend to optimise profits and minimize costs, and be feasible in terms of satisfying personnel, existing functional relationships, and resources available. Explain which alternative you recommend and why?

Explaining why you did NOT pick the other alternatives is also a good idea.

6. Implementation

Draw up a plan for HOW you will implement your recommendation. Include dates, names and specific actions that must be performed to accomplish or achieve your objectives. The plan should be divided into short term(< 1yr) and long term(>5yr) plans (timeline).