Courtesy: Hollywood
Presbyterian Medical Center
Presbyterian Medical Center
LA hospital pays hackers $17,000 ransom (not $3.7 million) to reclaim computer network
February 17, 2016
By: Thomas Dworetzky and Gus Iversen
Newsflash for hospital administrators: A cyberattack, like the one that just hit Hollywood Presbyterian Medical Center, might just put the "paper" back into your health care paperwork — and it may set you back at least a few grand to resolve.
Staff at the Los Angeles facility first spotted "significant IT issues and declared an internal emergency" last Friday. The ransomware attack shut down computers on February 5 and forced staff to resort to overworked fax lines and old-fashioned paper "charts" according to reports.
It was widely stated that the blackmailers demanded 9,000 bitcoins, or about $3.7 million dollars, for the keys to unlock the system, but a new statement from the hospital asserts that the ransom was considerably lower — and has been paid.
"The reports of the hospital paying 9000 Bitcoins or $3.4 million are false. The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000," Hollywood Presbyterian wrote in a statement on Wednesday. "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this."
For now, the $17,000 appears to have resolved the problem, but the implications for other susceptible health care facilities remain significant.
“Things are kind of slow,” vocational nurse Tina Bordas, a representative of the facilities nurses, told The Guardian during the technology blackout. But she added that some "old-school" staffers actually prefer paper.
“It takes less time to write something on paper than put it in the computer,” said the 27-year-veteran nurse. “A computer screen isn’t that friendly and as a nurse, there are certain things that you want to document that might not fit into a computer form.”
CEO Stefanek didn't think the hospital had been specifically targeted, telling NBC that "it was clearly not a malicious attack,” and added that he thought "it was a random attack.”
Experts suggest, however, that health care institutions are particularly juicy targets for ransom-driven hackers. "The expanding number of access points to Protected Health Information (PHI) and other sensitive data via electronic medical records and the growing popularity of wearable technology makes the health care industry a vulnerable and attractive target for cybercriminals.
Several factors suggest the health care industry will continue to be plagued with data breach headlines," according to Experian's 2015 Data Breach Industry Forecast.
That forecast noted that the threat is so serious that the FBI released a private warning about it in 2014, warning, "the health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely," according to a notice it sent to health care providers, obtained by Reuters.
Experian also advised that the bottom line for health care IT professionals was that:
"Health care organizations will need to step up their security posture and data breach preparedness or face the potential for scrutiny from federal regulators. Reported incidents may continue to rise as electronic medical records and consumer-generated data add vulnerability and complexity to security considerations for the industry.
"Where previously IT departments were responsible for explaining security incidents, cyber attacks have expanded from a tech problem to a corporate-wide issue. With this shift, business leaders are being held directly accountable for data breaches. Executives at the highest levels are under scrutiny about security posture and their response to a breach from stakeholders, regulators and consumers.
"Recent mega breaches have showcased the significant pressure for management teams to brush up on their knowledge on data breach preparedness or face the threat of being ousted from the company."
The report also advised that C-suite executives should expect a "rise in legal and regulatory scrutiny" and that the industry could be looking at a potential cost for breaches of as much as $5.6 billion annually.
There have been a number of IT breaches in the health care sector recently, which have highlighted that, unlike other large companies and industries, such as those in the financial sector, security is relatively vulnerable at many health care facilities despite the fact that they contain much sensitive data, including both personal and financial information.
“Fortune 500 companies get it when it comes to the level of security that needs to surround your company and the amount of money that you need to invest,” David Ellis, vice-president of investigations at SecurityMetrics, told The Guardian, adding that "health care industry security is all over the map.”
Hospitals have credit card information, as well as personal data that makes it easier for thieves to steal identities, he noted, which makes them ideal targets for data thieves.
Hollywood Presbyterian is far from the only hospital that's been hit. A Texas facility went down for a week in early 2016 due to ransomware, and in Sept. 2015 a Florida hospital was the victim of a similar attack.
According to Hollywood Presbyterian, it has "restored its electronic medical record system (“EMR”) on Monday, February 15th. All clinical operations are utilizing the EMR system. All systems currently in use were cleared of the malware and thoroughly tested." The hospitals said it is still working to better understand the unfortunate situation.
Newsflash for hospital administrators: A cyberattack, like the one that just hit Hollywood Presbyterian Medical Center, might just put the "paper" back into your health care paperwork — and it may set you back at least a few grand to resolve.
Staff at the Los Angeles facility first spotted "significant IT issues and declared an internal emergency" last Friday. The ransomware attack shut down computers on February 5 and forced staff to resort to overworked fax lines and old-fashioned paper "charts" according to reports.
It was widely stated that the blackmailers demanded 9,000 bitcoins, or about $3.7 million dollars, for the keys to unlock the system, but a new statement from the hospital asserts that the ransom was considerably lower — and has been paid.
"The reports of the hospital paying 9000 Bitcoins or $3.4 million are false. The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000," Hollywood Presbyterian wrote in a statement on Wednesday. "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this."
For now, the $17,000 appears to have resolved the problem, but the implications for other susceptible health care facilities remain significant.
“Things are kind of slow,” vocational nurse Tina Bordas, a representative of the facilities nurses, told The Guardian during the technology blackout. But she added that some "old-school" staffers actually prefer paper.
“It takes less time to write something on paper than put it in the computer,” said the 27-year-veteran nurse. “A computer screen isn’t that friendly and as a nurse, there are certain things that you want to document that might not fit into a computer form.”
CEO Stefanek didn't think the hospital had been specifically targeted, telling NBC that "it was clearly not a malicious attack,” and added that he thought "it was a random attack.”
Experts suggest, however, that health care institutions are particularly juicy targets for ransom-driven hackers. "The expanding number of access points to Protected Health Information (PHI) and other sensitive data via electronic medical records and the growing popularity of wearable technology makes the health care industry a vulnerable and attractive target for cybercriminals.
Several factors suggest the health care industry will continue to be plagued with data breach headlines," according to Experian's 2015 Data Breach Industry Forecast.
That forecast noted that the threat is so serious that the FBI released a private warning about it in 2014, warning, "the health care industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely," according to a notice it sent to health care providers, obtained by Reuters.
Experian also advised that the bottom line for health care IT professionals was that:
"Health care organizations will need to step up their security posture and data breach preparedness or face the potential for scrutiny from federal regulators. Reported incidents may continue to rise as electronic medical records and consumer-generated data add vulnerability and complexity to security considerations for the industry.
"Where previously IT departments were responsible for explaining security incidents, cyber attacks have expanded from a tech problem to a corporate-wide issue. With this shift, business leaders are being held directly accountable for data breaches. Executives at the highest levels are under scrutiny about security posture and their response to a breach from stakeholders, regulators and consumers.
"Recent mega breaches have showcased the significant pressure for management teams to brush up on their knowledge on data breach preparedness or face the threat of being ousted from the company."
The report also advised that C-suite executives should expect a "rise in legal and regulatory scrutiny" and that the industry could be looking at a potential cost for breaches of as much as $5.6 billion annually.
There have been a number of IT breaches in the health care sector recently, which have highlighted that, unlike other large companies and industries, such as those in the financial sector, security is relatively vulnerable at many health care facilities despite the fact that they contain much sensitive data, including both personal and financial information.
“Fortune 500 companies get it when it comes to the level of security that needs to surround your company and the amount of money that you need to invest,” David Ellis, vice-president of investigations at SecurityMetrics, told The Guardian, adding that "health care industry security is all over the map.”
Hospitals have credit card information, as well as personal data that makes it easier for thieves to steal identities, he noted, which makes them ideal targets for data thieves.
Hollywood Presbyterian is far from the only hospital that's been hit. A Texas facility went down for a week in early 2016 due to ransomware, and in Sept. 2015 a Florida hospital was the victim of a similar attack.
According to Hollywood Presbyterian, it has "restored its electronic medical record system (“EMR”) on Monday, February 15th. All clinical operations are utilizing the EMR system. All systems currently in use were cleared of the malware and thoroughly tested." The hospitals said it is still working to better understand the unfortunate situation.