L.A. hospital pays ransom to regain control of computer system from hackers

hollywoodpresbyterian2hitnAnnouncing its data had been taken hostage by hackers, Hollywood Presbyterian Medical Center got its information back but triggered a new wave of fears that so-called “ransomware” attacks pose a serious threat to the health care industry in California and beyond.

“While it was not the first hacked organization to acquiesce to attackers’ demands, the California hospital that paid $17,000 in ransom to hackers to regain control of its computer system was unusual in one notable way: It went public with the news,” Reuters reported.

Until the hospital coughed up the sum, several of its key and core functions were effectively paralyzed. “The facility was without access to email, digital patient records and some internet-connected medical devices for nearly two weeks, from Feb. 5 to 17,” according to CBC.

“It’s no different than if they took all the patients and held them in one room at gunpoint,” insisted state Sen. Robert Hertzberg, D-Van Nuys, Reuters reported. Hertzberg has introduced legislation “to make a ransomware attack equivalent to extortion and punishable by up to four years in prison.”

Health care hacks have spiked in recent months. “The health care industry isn’t just a top target for ransomware attacks,” CBC noted. “According to a report by security firm Trend Micro, 30 percent of identity theft-related cybercrime activity targeted health care from 2005 to 2015.”

Just this year, the San Francisco Chronicle reported, four hospitals including HPMC were hit. “Though there are no recorded patient injuries or deaths tied to cyberattacks, digital security in hospitals, and, perhaps, more importantly in medical devices such as pacemakers and MRI machines, has become a growing concern in the industry,” the paper added.

Limited measures

The Food and Drug Administration has struggled to stay ahead of the risk curve. Hospitals not only have traditional online networks to worry about; their myriad of networked devices provide hackers with a wealth of potential targets and entry points into databases. “Last summer, the FDA and Department of Homeland Security issued a warning to hospitals about a drug-infusion system with a flaw so serious that it could give hackers entree into the devices,” according to the Chronicle. “Just last month, the FDA issued draft guidance for medical device manufacturers to begin administering their own vulnerability disclosure programs — allowing outside researchers to easily flag weaknesses.”

But the HPMC attack underscored the limited power of regulations and bureaucracies to police the front line of defense for companies targeted by hackers: staff education. “According to CSO, the incident was random, likely meaning a hospital staffer clicked a malicious link or attachment that ultimately spread the malware throughout the network,” The Verge observed.

Planning for attacks

Because hackers predominantly play a numbers game, casting a wide net instead of focusing from the outset on a specific target, hospitals have wound up being targeted simply in virtue of being large, often unwieldy organizations that can’t afford to be crippled for very long. “Mostly, hacks start with mass email campaigns aiming to snare unwitting recipients. Hospitals, police agencies and other essential services fall victim because employees who have access to those networks are often busy, IT staffs are underfunded, and cybersecurity training is rare,” according to the International Business Times.

While organizations must stop or prevent every attempted breach of their network to prevail over attackers, hackers themselves often only need to breach once in order to seize data they can exfiltrate or hold for ransom. For that reason, experts have counseled that the best defense is one that expects breaches to occur and creates strategies to deal with them. “Ransomware strains are becoming increasingly complex and impossible to contain. The best way to avoid an infection is to plan on being infected anyway,” as IBT noted. “The only catch-all way to mitigate the damage is regular data backups, in the form of either cloud storage or a physical hard drive.”

4 comments

Write a comment
  1. JPR11
    JPR11 1 March, 2016, 09:30

    JP — Pls address added or the lack there of new water sources Did Sac agree on a Plan or did environmentalists win? Has funding been approved for water storage and desal facilities? What is the timing? Thx

    Reply this comment
  2. Spurwing Plover
    Spurwing Plover 1 March, 2016, 14:57

    These miserble hackers need to be locked up for life and total no access to any compusters

    Reply this comment
  3. MC
    MC 21 July, 2016, 19:32

    Ransomware can be beatable. There are a team of researchers from private companies looking to de-encrypt the files that ransomware locks.

    In the meantime, there should be better training awareness for employees

    Reply this comment

Write a Comment

Your e-mail address will not be published.
Required fields are marked*


Tags assigned to this article:
health careRobert Hertzberghackinghospitals

Related Articles

$1 billion difference splits bond measures

  It’s becoming clear the main difference between the four major water bonds being floated is $1 billion. The $1

Solar crash ramped up CA natural gas power

  Yesterday a problem struck California’s electricity system that wasn’t supposed to happen until at least 2015. Freak low-lying clouds

June ballot measure “orphaned,” but poised to pass

While dozens of measures are vying to make it on the November general election ballot, one proposal is ready for the June primary