It was reported earlier today that Hollywood Presbyterian Medical Center, a 430-bed Los Angeles hospital, paid some $17,000 in ransom in order to regain control of its computer systems. (Initial reports stated that the criminals asked for $3.4 million.) The hospital was a victim of a ransomware attack, which infected its systems with malware that could only be removed by paying the attackers for a decryption key.
As a result, Hollywood Presbyterian was forced to operate under very limited conditions, relying on telephones, handwritten notes, and fax machines, causing the hospital to lose access to critical systems and data. The hospital asserts that, though it went offline for several days, patient care was in no way compromised.
This incident was not the first of its kind; in fact, hospitals seem to be a growing target for such attacks. While ransomware attacks in general are creating a cybersecurity crisis — estimates are that at least 90,000 machines are being infected daily by a new strain of ransomware named Locky — it is especially frightening to think about the victimization of health care providers.
In Hollywood Presbyterian’s case, the center declared an internal emergency when it was under attack; doctors were not able to access electronic health records and some patients missed treatments.
In general, hospitals are increasingly dependent on fancy machines that monitor patients, robotically assist surgeons, communicate with other devices, etc. However, the more complicated a system is, the more difficult it is to nail down the sources of errors or malicious viruses. And many hospitals are not staying current in terms of cybersecurity.
According to Elliott Frantz, CEO of computer security firm Virtue Security, “It’s very common for hospitals to have a large number of outdated and vulnerable systems on the network.”
Additionally, some attacks on hospitals are remaining unreported, presumably to curb any danger of unnecessarily alarming the public. Just last week Lukas Hospital in Germany was effectively shut down by a cyberattack that entered its systems via email. The hospital has been working to decode the virus on its own, but it took the step of going public with the attack and urging others to follow suit.
Adds Tom Corn, SVP of security products at VMWare, when a data breach occurs, “You go massively public. You tell everyone in the world that this infrastructure can’t be trusted and you have to switch to something else.”
Hospital systems contain data that are critically valuable, causing many health care executives to bow to pressure given by cybercriminals. Some experts say that Hollywood Presbyterian should not have paid the ransom, as that could only encourage copycat attacks. The hospital’s CEO, Allen Stefanek, issued a statement saying that by paying the ransom, it has been able to quickly normalize operations and bring its systems back online. In fact, most victims of these attacks, including hospitals, end up paying the ransoms.
The question of whether it’s better to pay attackers what they ask or to hold out on ransom payments is a tricky one. As hospitals continue to modernize, they must also invest in security — an admittedly expensive undertaking. Software companies need to make their products more secure as well. And finally, more communication is necessary between law enforcement and security experts if these attacks are going to be contained.
Diane Ramirez has been a member of the D&B editorial department for more than a decade. She currently covers the health care and insurance industries for Hoover’s.
Photo courtesy of the US Navy.