“While it was not the first hacked organization to acquiesce to attackers’ demands, the California hospital that paid $17,000 in ransom to hackers to regain control of its computer system was unusual in one notable way: It went public with the news,” Reuters reported.

Until the hospital coughed up the sum, several of its key and core functions were effectively paralyzed. “The facility was without access to email, digital patient records and some internet-connected medical devices for nearly two weeks, from Feb. 5 to 17,” according to CBC.

“It’s no different than if they took all the patients and held them in one room at gunpoint,” insisted state Sen. Robert Hertzberg, D-Van Nuys, Reuters reported. Hertzberg has introduced legislation “to make a ransomware attack equivalent to extortion and punishable by up to four years in prison.”

Health care hacks have spiked in recent months. “The health care industry isn’t just a top target for ransomware attacks,” CBC noted. “According to a report by security firm Trend Micro, 30 percent of identity theft-related cybercrime activity targeted health care from 2005 to 2015.”

Just this year, the San Francisco Chronicle reported, four hospitals including HPMC were hit. “Though there are no recorded patient injuries or deaths tied to cyberattacks, digital security in hospitals, and, perhaps, more importantly in medical devices such as pacemakers and MRI machines, has become a growing concern in the industry,” the paper added.

Limited measures

The Food and Drug Administration has struggled to stay ahead of the risk curve. Hospitals not only have traditional online networks to worry about; their myriad of networked devices provide hackers with a wealth of potential targets and entry points into databases. “Last summer, the FDA and Department of Homeland Security issued a warning to hospitals about a drug-infusion system with a flaw so serious that it could give hackers entree into the devices,” according to the Chronicle. “Just last month, the FDA issued draft guidance for medical device manufacturers to begin administering their own vulnerability disclosure programs — allowing outside researchers to easily flag weaknesses.”

But the HPMC attack underscored the limited power of regulations and bureaucracies to police the front line of defense for companies targeted by hackers: staff education. “According to CSO, the incident was random, likely meaning a hospital staffer clicked a malicious link or attachment that ultimately spread the malware throughout the network,” The Verge observed.

Planning for attacks

Because hackers predominantly play a numbers game, casting a wide net instead of focusing from the outset on a specific target, hospitals have wound up being targeted simply in virtue of being large, often unwieldy organizations that can’t afford to be crippled for very long. “Mostly, hacks start with mass email campaigns aiming to snare unwitting recipients. Hospitals, police agencies and other essential services fall victim because employees who have access to those networks are often busy, IT staffs are underfunded, and cybersecurity training is rare,” according to the International Business Times.

While organizations must stop or prevent every attempted breach of their network to prevail over attackers, hackers themselves often only need to breach once in order to seize data they can exfiltrate or hold for ransom. For that reason, experts have counseled that the best defense is one that expects breaches to occur and creates strategies to deal with them. “Ransomware strains are becoming increasingly complex and impossible to contain. The best way to avoid an infection is to plan on being infected anyway,” as IBT noted. “The only catch-all way to mitigate the damage is regular data backups, in the form of either cloud storage or a physical hard drive.”

Data acquired illegally, such as Social Security information, date of birth or street address, could be used to clear the IRS’ “multi-step authentication process,” rendering most of those safety precautions useless. With this data, the IRS said, criminals were able to file fraudulent tax refunds.

According to the statement:

“The matter is under review by the Treasury Inspector General for Tax Administration as well as the IRS’ Criminal Investigation unit, and the ‘Get Transcript’ application has been shut down temporarily.

In addition to disabling the “Get Transcript” application, the IRS has taken the below steps:

• “Sending a letter to all of the approximately 200,000 taxpayers whose accounts had attempted unauthorized accesses, notifying them that third parties appear to have had access to taxpayer Social Security numbers and additional personal financial information from a non-IRS source before attempting to access the IRS transcript application. Although half of this group did not actually have their transcript account accessed because the third parties failed the authentication tests, the IRS is still taking an additional protective step to alert taxpayers. That’s because malicious actors acquired sensitive financial information from a source outside the IRS about these households that led to the attempts to access the transcript application.
• “Offering free credit monitoring for the approximately 100,000 taxpayers whose Get Transcript accounts were accessed to ensure this information isn’t being used through other financial avenues. Taxpayers will receive specific instructions so they can sign up for the credit monitoring. The IRS emphasizes these outreach letters will not request any personal identification information from taxpayers. In addition, the IRS is marking the underlying taxpayer accounts on our core processing system to flag for potential identity theft to protect taxpayers going forward — both right now and in 2016.”