Should we pay the ransom? Ethical and practical considerations

This is a genuine ethical dilemma many organizations face. Our hospital was hit by ransomware and patient care is being affected. The FBI says don’t pay, but we have lives at stake. What are the practical and ethical considerations? Has anyone here been in this situation?

This is genuinely one of the hardest decisions in cybersecurity. Here are the facts:

• Against paying: Funds criminal operations, no guarantee of data recovery (only ~65% of payers get all data back), may violate OFAC sanctions
• For paying: May be the only option when lives are at stake, business continuity, fiduciary duty to stakeholders

For hospitals specifically, I believe patient safety must come first. But this should be a last resort after exhausting all other options including engaging law enforcement who may have decryption keys.