Hospitals, Health IT

Was Hollywood Presbyterian ransom attack preventable?

A security expert wants to know how the ransomware got on the computer system. Was an unsuspecting employee the victim of a phishing attack, or was it a true hack? Does the hospital have a suitable backup system in place? When will the computers come back online?

unlock data breach

The hackers who brought down the computer network and connected medical devices at Hollywood Presbyterian Medical Center in Los Angeles have taken healthcare cyberattacks to the next level, according to a maker of network security technology.

“This is an unusually large amount to ask for,” said Stephen Gates, chief research analyst and principal engineer of NSFocus IB, Santa Clara, California. According to several published reports, hackers are demanding a ransom of 9,000 Bitcoin, equivalent to about $3.6 million, to unlock the hospital’s computers.

This ransomware attack, which started more than a week ago, represents a new kind of threat to healthcare organizations, according to Gates. “Ransomware is a unique kind of malware,” he said. It encrypts files on the network and asks for a key code to unencrypt the files. The perpetrators usually demand a ransom payment to provide the code, Gates explained.

“Extortion campaigns are really what they are,” said Gates.

Hollywood Presbyterian isn’t saying much about the incident. President and CEO Alan Stefanek told KNBC-TV that the hospital had “significant IT issues and declared an internal emergency” on Feb. 5, but did not confirm that hackers had demanded ransom. That information came from an unidentified physician.

Stefanek also reportedly said that “patient privacy has not been compromised.” He added that the FBI, Los Angeles Police and private forensic experts are investigating.

Hollywood Presbyterian referred media calls to a dedicated phone number to respond to this incident. On Tuesday, the voicemail box on that line was full, and a call to another hospital media representative has not been returned.

There still is the possibility that the hospital’s McKesson electronic health records system could be a target, though. “By encrypting Hollywood [Presbyterian’s] data and holding it for ransom, the attacker(s) have not only halted work capabilities and stifled patient care, but they most likely now also have the ability to freely move laterally through the network to find higher value targets, such as patient healthcare records,” Carl Wright, executive vice president of TrapX Security,  San Mateo, California, said in an e-mailed statement.

NSFocus IB’s Gates, like so many others, has plenty of questions. He wants to know how the ransomware got on the computer system. Was an unsuspecting employee the victim of a phishing attack, or was it a true hack?

Does the hospital have a suitable backup system in place? (That seems unlikely, given that the network remains down.) When does Hollywood Presbyterian plan on bringing its computers back online?

Gates said to expect this type of attack to become more common. That means hospitals and other businesses need to plan for and protect against ransomware. “We as a nation need to get our arms around this cybersecurity problem,” he said.

For prevention, Gates recommended not exposing EHRs to the Internet “in an uncontrolled fashion.” Cloud-based EHRs do tend to encrypt data before it hits the open Internet. He also said to limit general Internet access on computers and other devices that handle protected health information, have a solid contingency plan in place and to educate employees about phishing.

“It all goes back to good planning,” Gates said.

Photo: Flickr user Nick Carter

Shares0
Shares0