L.A. hospital pays ransom to regain control of computer system from hackers

hollywoodpresbyterian2hitnAnnouncing its data had been taken hostage by hackers, Hollywood Presbyterian Medical Center got its information back but triggered a new wave of fears that so-called “ransomware” attacks pose a serious threat to the health care industry in California and beyond.

“While it was not the first hacked organization to acquiesce to attackers’ demands, the California hospital that paid $17,000 in ransom to hackers to regain control of its computer system was unusual in one notable way: It went public with the news,” Reuters reported.

Until the hospital coughed up the sum, several of its key and core functions were effectively paralyzed. “The facility was without access to email, digital patient records and some internet-connected medical devices for nearly two weeks, from Feb. 5 to 17,” according to CBC.

“It’s no different than if they took all the patients and held them in one room at gunpoint,” insisted state Sen. Robert Hertzberg, D-Van Nuys, Reuters reported. Hertzberg has introduced legislation “to make a ransomware attack equivalent to extortion and punishable by up to four years in prison.”

Health care hacks have spiked in recent months. “The health care industry isn’t just a top target for ransomware attacks,” CBC noted. “According to a report by security firm Trend Micro, 30 percent of identity theft-related cybercrime activity targeted health care from 2005 to 2015.”

Just this year, the San Francisco Chronicle reported, four hospitals including HPMC were hit. “Though there are no recorded patient injuries or deaths tied to cyberattacks, digital security in hospitals, and, perhaps, more importantly in medical devices such as pacemakers and MRI machines, has become a growing concern in the industry,” the paper added.

Limited measures

The Food and Drug Administration has struggled to stay ahead of the risk curve. Hospitals not only have traditional online networks to worry about; their myriad of networked devices provide hackers with a wealth of potential targets and entry points into databases. “Last summer, the FDA and Department of Homeland Security issued a warning to hospitals about a drug-infusion system with a flaw so serious that it could give hackers entree into the devices,” according to the Chronicle. “Just last month, the FDA issued draft guidance for medical device manufacturers to begin administering their own vulnerability disclosure programs — allowing outside researchers to easily flag weaknesses.”

But the HPMC attack underscored the limited power of regulations and bureaucracies to police the front line of defense for companies targeted by hackers: staff education. “According to CSO, the incident was random, likely meaning a hospital staffer clicked a malicious link or attachment that ultimately spread the malware throughout the network,” The Verge observed.

Planning for attacks

Because hackers predominantly play a numbers game, casting a wide net instead of focusing from the outset on a specific target, hospitals have wound up being targeted simply in virtue of being large, often unwieldy organizations that can’t afford to be crippled for very long. “Mostly, hacks start with mass email campaigns aiming to snare unwitting recipients. Hospitals, police agencies and other essential services fall victim because employees who have access to those networks are often busy, IT staffs are underfunded, and cybersecurity training is rare,” according to the International Business Times.

While organizations must stop or prevent every attempted breach of their network to prevail over attackers, hackers themselves often only need to breach once in order to seize data they can exfiltrate or hold for ransom. For that reason, experts have counseled that the best defense is one that expects breaches to occur and creates strategies to deal with them. “Ransomware strains are becoming increasingly complex and impossible to contain. The best way to avoid an infection is to plan on being infected anyway,” as IBT noted. “The only catch-all way to mitigate the damage is regular data backups, in the form of either cloud storage or a physical hard drive.”


Tags assigned to this article:
hackinghospitalshealth careRobert Hertzberg

Related Articles

Will Crashing Real Estate Kill Prop. 13?

JUNE 1, 2011 By WAYNE LUSVARDI A demogogue is a leader who obtains power by means of impassioned appeals to

Bill Would Mandate Union Teacher Jobs

JUNE 2, 2011 By, KATY GRIMES An education bill is being used to increase the power of teachers’ unions. AB 515

Two bills targeting rape pass Legislature, head to Gov. Brown’s desk

  A series of high profile rape accusations led California lawmakers to pass new legislation designed to remove a judge’s discretion in