A hospital in Los Angeles paid cyberhackers 40 bitcoins (the equivalent of about $17,000) to remove “ransomware” that disabled its computer system for ten days.
Allen Stefanek, CEO of Hollywood Presbyterian Medical Center, assured patients in a Feb. 17 statement that although the hospital remained off-line for more than a week, “this incident did not affect the delivery and quality of the excellent patient care you expect and receive.”
“All systems currently in use were cleared of the malware and thoroughly tested,” he said.
The CEO - who characterized the cyberattack as “random” - explained that “the malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
“Law enforcement was immediately notified,” he continued. “Computer experts immediately began assisting us in determining the outside source of the issue and bringing our systems back online. We continue to work with our team of experts to understand more about this event.”
The medical center declared an “internal emergency” on Feb. 5 after employees found themselves locked out of the hospital computer system, KNBC-TV reported. The system was restored on Feb. 15 after the ransom was paid.
“Ransomware attacks have become so effective that the FBI has gone on record recommending that organizations just pay the ransom,” according to a January report entitled Hacking Healthcare IT in 2016 by the Institute for Critical Infrastructure Technology (ICIT), a non-profit, non-partisan group that acts as “a conduit between the private sector, federal agencies, and legislative community.”
But “the pattern of acquiescing to attacker demands ensures that ransomware will rapidly grow in popularity in 2016,” ICIT noted.
“When lives are held ransom, how could a health organization refuse to pay the ransom?”
The healthcare sector is “the most targeted yet unprepared” for cyberattacks, the ICIT report added, noting that “47% of the population of the United States have had their personal healthcare data compromised over the last 12 months.”
“The vast majority of human beings are in at least one healthcare system, while only a fraction of the population is included in government systems,” ICIT pointed out, adding that “consumers in the healthcare sector have no real control over how their data is stored or used.”
“Your hospital has a greater and broader amount of your private data than your employer or your bank does,” the report explained. As a result, “healthcare breaches have a higher impact and greater fiscal return than government breaches….Personal medical data is ten times more valuable than credit card information online.”
Stolen medical data also fetches more on the black market than stolen Social Security numbers, according to AT&T: “The street cost of a stolen medical record is $50 compared to $1 for a stolen Social Security number.”
The vulnerability of the nation’s healthcare sector “offers script kiddies a domain to wreak havoc, mercenaries an all-encompassing plane upon which to exfiltrate records for capitalization, and state sponsors an unprotected target to accumulate a database from which to derive future surveillance and adversarial positioning,” ICIT warned.
Hackers can gain entry to computerized medical systems via medical sensors such as RFID chips, remote monitoring and behavior modification devices, mobile phone apps, video conferencing, emails, cloud data sharing, and even medical implants such as pacemakers and insulin pumps.
“During his tenure as Vice President, it was discovered that Al Qaeda operatives were attempting to compromise Dick Cheney’s pacemaker by exploiting an unsecured Bluetooth connection,” the ICIT report stated.
“Imagine the financial gain a criminal syndicate could accomplish if they held hostage every IoT- [Internet of Things] enabled pacemaker using simple ransomware programs. Imagine the impact a cyberterrorist group could have if they shut off those pacemakers to send a message?”