A Hospital Held Ransom Highlights Healthcare as a Vulnerable Cyber Target

Security threats to healthcare providers continue to be fluid and fast-paced, as the most recent publicized cyberattack demonstrates. On February 5, 2016, hackers took control of the computer systems at Hollywood Presbyterian Memorial Medical Center in Los Angeles, California, using that control to demand a ransom. The hackers used malware to infect the hospital’s computers, which encrypted the files and locked out users and blocked communications from all devices.

After completing their lockout, the hackers demanded a reported ransom of 40 bitcoin, or approximately $17,000. The hospital promptly paid the demanded funds. In explaining the decision to pay, Chief Executive Officer Alan Stefanek focused on practicality, stating, “[t]he quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.” According to officials, the hospital paid the ransom prior to contacting local or federal authorities for assistance. The FBI has since taken over the investigation and is not discussing the case at this time.

The ransomware attack lasted a little over one week, causing, among other things, emergency patients to be diverted, patients needing imaging or lab work to be transferred to other facilities, and staff to work from limited medical records and document by paper.

The hospital’s highly-publicized decision to pay the ransom, along with the continued lack of definitive information about who the hackers are or what motivated them, is escalating concern that ransomware threats will intensify. “According to computer security experts cited by the L.A. Times, hospitals are particularly vulnerable targets for ransomware because some medical equipment relies on older operating systems that cannot easily be protected with security measures.” Lisa Myers, a researcher with computer security firm ESET, stated, “[h]ospitals also have been less proactive in terms of combatting cyber threats, and remain ‘about 10 to 15 years behind the banking industry’ in terms of security.” Many cybersecurity experts believe attacks designed to shut down a hospital – although they have not occurred before – could become commonplace.

In a report from Intel Corporation’s McAfee Labs, ransomware attacks are predicted to grow in 2016 due to the “increased sophistication in the software used to do it,” with estimates “that on average, 3 percent of users with infected machines pay a ransom.”

Fueling this concern, right on the heels of the hospital ransomware attack, the Los Angeles County Health Department reported on February 26, 2016, that they too were targeted in a ransomware attack, albeit on a smaller scale and with no impact on operations.

In short, ransomware and other cyberattacks are becoming more of a reality for healthcare facilities. In light of this predicted increase in prevalence and of the particular harms that such attacks present in a healthcare environment, advance preparation is critical. Facilities should know where their vulnerabilities lie by conducting a security review and making enhancements to protocols, in addition to reviewing and updating any contractual protections with all information technology providers. Where facility management considers scenarios like the one that faced Hollywood Presbyterian in advance, along with potential response options, they can dramatically improve their decision-making and potential crisis outcomes.

To review the entire document and formatting for this alert (e.g., footnotes), please access the original below:

Service Specialties

Industry Specialties