Four hospitals recently were hit with ransomware attacks, in which hackers seize control of a computer system and demand money for its release. One of the hospitals paid the ransom.
- Ransomware attacks are increasing.
- Hackers are becoming more proficient, and hospital IT programs are not keeping up.
- Authorities Discourage Victims From Paying The Ransom.
On the heels of four incidents in which hospitals were hit with ransomware attacks, the U.S. Department of Homeland Security and the Canadian Cyber Incident Response Centre jointly released an alert that warns about several prominent ransomware variants that have emerged over the past few years, including Symantec, Xorist, CryptorBit, CryptoLocker, Samas, and Locky.
Ransomware attacks involve hackers seizing control of a hospital’s computer system and records, then demanding payment for the encryption key or regaining control. Methodist Hospital in Henderson, KY; Chino Valley Medical Center in Chino, CA; and Desert Valley Hospital in Victorville, CA, were all the victims of ransomware attacks recently, but none is believed to have paid the ransom. Instead, the hospitals regained control through other means. Kentucky Methodist Hospital was forced to shut down all of its desktop computers and activate a back-up system, declaring “an internal state of emergency.” The hospital released a statement saying no patient data or care had been affected.
Hollywood Presbyterian Medical Center in Los Angeles paid $17,000 in bitcoin, which is a type of digital currency, to regain access to its computer files.
“The malware locks systems by encrypting files and demanding ransom to obtain the decryption key,” President and CEO Allen Stefanek said in a statement issued after the payment. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
The hospital was hit by one of most common ransomware types called Locky, which usually arrives in a spam email with an attached document advising readers to enable macros “if the data encoding is incorrect.” Once the malware is downloaded, it sends a message to desktops with instructions about how users can pay to have files unlocked.
The U.S. and Canadian governments recommend users do not pay the ransom if they are hit with a ransomware attack, and they say providing payment does not guarantee the files will be released.
“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not mean the malware infection itself has been removed,” according to the alert. (The alert is available to readers online at http://1.usa.gov/1RBQRWD.)
MORE ATTACKS TO COME
Hospitals can expect more ransomware attacks, says Ellen M. Derrico, MBA, CHM, senior director of global product marketing for healthcare and life sciences at RES, a company in Radnor, PA, that provides digital security services.
“It’s not if, it’s when. Ransomware attacks have increased twofold in the past six months, and I hear about new attacks every day,” Derrico says.
Paying the ransom happens a lot more often than many may think, she says. The Hollywood Presbyterian incident may be the first time it’s happened in healthcare — at least to such a dramatic and public extent — but it most certainly has happened elsewhere, she says. Victims often have no choice because the hackers are getting better all the time.
Derrico says she personally knows of dozens of organizations that have been hacked in a similar manner. But until now, most were able to regain control without paying the ransom, she says. It required time, effort, and resources, and it caused lots of disruption, but in most cases the IT professionals were up to the task.
“Today, increasingly, IT is not up to task,” she says. “The hackers are getting so good, sometimes paying up is actually the better choice.”
PATIENT SAFETY THREAT
Derrico notes that ransomware attacks directly threaten patient safety. Hollywood Presbyterian was without access to email and electronic health records for 11 days, with clinicians left to rely on faxes and verbal communication. New records and patient-registration information were recorded on paper, and some patients were transferred to other hospitals. It is only a matter of time before a ransomware attack causes serious harm or death because clinicians were unable to access records about a patient’s history, status, or medication administration, Derrico says.
The financial cost to a hospital could be significant, but a ransomware attack also damages the hospital’s reputation unless it can show that it had a response plan and quickly recovered without paying the ransom, Derrico says.
“On average, a basic breach costs $3.7 million to clean up, and then when records are stolen, you end up with lawsuits,” Derrico says. “When you add up all the costs and liability from a ransomware attack, it’s even worse. It can be catastrophic to a healthcare organization.”
- Ellen M. Derrico, MBA, Senior Director, of Global Product Marketing for Healthcare and Life Sciences, RES, Radnor, PA. Telephone: (610) 991-3076.