Hospital Pays Hacker Bitcoin Ransom

bitcoin-tap

Download Our Chapter’s Free AppRVACFESon Google Play!

Not too long ago, taking the nation’s wild, messy, unreliable system of medical records online seemed like a worthy goal.

“To improve the quality of our health care while lowering its cost, we will make the immediate investments necessary to ensure that, within five years, all of America’s medical records are computerized,” President Obama said. “This will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests.”

While the shift Obama and many others pushed may have improved care, electronic medical records led to quite the unique hostage situation in Los Angeles this week. There, a hospital fell prey to a cyberattack — and the hospital has escaped its plight by paying hackers a $17,000 ransom. Allen Stefanek, president and chief executive of Hollywood Presbyterian Medical Center, explained the situation.  “On the evening of February 5th, our staff noticed issues accessing the hospital’s computer network,” he wrote. “Our IT department began an immediate investigation and determined we had been subject to a malware attack. The malware locked access to certain computer systems and prevented us from sharing communications electronically.” What communications needed to be electronically shared? As Stefanek got around to pointing out a few paragraphs later, medical records. As reports emerged of the hospital being forced to resort to the pre-historic days of paper charts, at least one patient was feeling the pain. “I wasn’t feeling very well, went in for a checkup and they said their computers were down,” patient Melissa Garza told Fox 11 last week. “I asked, ‘What’s going on here?’ and they said we were hacked.” But all was now well, Stefanek said Wednesday. “All systems currently in use were cleared of the malware and thoroughly tested,” he wrote. “We continue to work with our team of experts to understand more about this event.”

Stefanek also said that reports of the ransom payment were greatly exaggerated. “The reports of the hospital paying 9000 Bitcoins or $3.4 million are false,” the statement said. “The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000.” For a 434-bed hospital with more than 500 doctors that’s generated as much as $209 million in yearly revenue, perhaps that wasn’t so much. But wasn’t any amount too much? Could anonymous computer wizards potentially compromise care and get away with it? Yes. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek’s statement said. “In the best interest of restoring normal operations, we did this.”

Experts agreed this was a familiar course of action. “Unfortunately, a lot of companies don’t tell anybody if they had fallen victim to ransomware and especially if they have paid the criminals,” Adam Kujawa of Malware Intelligence for Malwarebytes, a San Jose-based company that recently released software designed to thwart such attacks, told the Associated Press. “But I know from the experiences I hear about from various industry professionals that it’s a pretty common practice to just hand over the cash.” But Hollywood Presbyterian, owned by CHA Medical Center of South Korea, said not to worry. “Patient care has not been compromised in any way,” Stefanek wrote. “Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access.” If that’s true, Hollywood Presbyterian has avoided potential disaster. To name just one example of a healthcare-related computer attack, the hack of a hospital operator in Tennessee compromised the personal information of 4.5 million people in 2014.

“Any time you are offering any type of information you consider personal, private or sensitive, you have to be aware that the minute you provide it to a third party, you’re reliant on them to protect it,” Mark Burnette, a security and risk attorney, said at the time. He pointed out that the ER is not a great place to ask about data privacy: “If you are in need of life saving medical care, you’re not going to stop and say, ‘Hey, before you start to operate, can you tell me if you’re going to protect my information?’” Even police departments have coughed up ransom payments to get their data back. “A major criticism of electronic medical records in America is that the companies that make them have financial incentives to keep them from being easily shared,” Kaiser Health News wrote in 2014. “It’s kind of like Windows versus Mac operating systems. Many companies are trying to win market share by creating software that doesn’t ‘talk’ to that made by other companies, so if a big hospital uses software from company X, then all the doctors that work with that hospital will have an incentive to buy that software, too.”

Hollywood Presbyterian Medical Center showed uncommon transparency in saying it paid the 40 bitcoins — or about $17,000 — demanded when it fell victim to what’s commonly called “ransomware.” The hacking tactic is growing fast against both individuals and institutions, but it’s difficult to say exactly how fast, and even tougher to say how many pay up. “Unfortunately, a lot of companies don’t tell anybody if they had fallen victim to ransomware and especially if they have paid the criminals,” said Adam Kujawa, Head of Malware Intelligence for Malwarebytes, a San Jose-based company that recently released anti-ransomware software. “I know from the experiences I hear about from various industry professionals that it’s a pretty common practice to just hand over the cash.” Computer security experts normally recommend people not pay the ransom, though at times law enforcement agencies suggest they do, Kujawa said. The FBI said it is investigating the ransomware attack, but have provided no details beyond that.

During 2013, the number of attacks each month rose from 100,000 in January to 600,000 in December, according to a 2014 report by Symantec, the maker of antivirus software. A report from Intel Corp.’s McAfee Labs released in November said the number of ransomware attacks is expected to grow even more in 2016 because of increased sophistication in the software used to do it. The company estimates that on average, 3 percent of users with infected machines pay a ransom. The infiltration at Hollywood Presbyterian was first noticed on Feb. 5, CEO Allen Stefanek said in a statement. Its system was fully functioning again by Monday, 10 days later. The hospital did not say whether anyone in law enforcement or the technology business had recommended it pay off the hackers and quickly obtain the digital key used to be able to access its data again.

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said. “In the best interest of restoring normal operations, we did this.” Neither law enforcement nor the hospital gave any indication of who might have been behind the attack or whether there are any suspects. Bitcoins, the online currency that is hard to trace, is becoming the preferred way for hackers collect a ransom, FBI Special Agent Thomas Grasso, who is part of the government’s efforts to fight malicious software including ransomware, told The Associated Press last year. Patient care at Hollywood Presbyterian was not affected by the hacking, and there is no evidence any patient data was compromised, Stefanek said.

The 434-bed hospital in the Los Feliz area of Los Angeles was founded in 1924. It was sold to CHA Medical Center of South Korea in 2004. It offers a range of services including emergency care, maternity services, cancer care, physical therapy, and specialized operations such as fetal and orthopedic surgeries.