Hollywood Presbyterian Medical Center last week revealed its computer systems were offline after a ransomware attack scrambled the data on its systems.
Ransomware is a form of malware that encrypts data and system files on a computer and demands payment of a ransom to unscramble the files.
Since the attack, HPMC medical personnel reportedly have had to resort to faxes and handwritten charts to perform their daily tasks.
The hospital called in the Los Angeles Police Department and the FBI.
The FBI is investigating the intrusion, spokesperson Ari Dekofsky told the E-Commerce Times.
The extortionists reportedly asked for 9,000 bitcoins — more than $3.7 million — to unscramble the hospital’s data.
“None of the compromises we’ve seen anywhere have been for 9,000 bitcoins. Not even hundreds of bitcoins,” said Rodney Joffe, senior vice president atNeustar.
“However, in Europe, the normal nomenclature for numbers is to use a comma, not a period. It is quite possible that this was for 9.000 bitcoins, which is more in line with what we’ve seen,” he told the E-Commerce Times.
“I don’t think the bad guys would mind if they got 9,000 bitcoins,” he added, “but it’s just not consistent with anything we’ve seen.”
The attack was not specifically aimed at the hospital, according to news reports.
“It was just a random attack,” HPMC CEO Allen Stefanek told an NBC affiliate.
“It’s absolutely possible it was a random attack,” Joffe said.
“These criminal organizations scan the Internet for openings. Hollywood Presbyterian was probably compromised through a normal series of scanning of the open Internet,” he explained.
“There’s every possibility that the bad guys had no idea — because their systems are so automated — they were attacking a hospital,” Joffe added.
Hollywood Presbyterian isn’t the only hospital that has been attacked by ransomware in recent months. A regional hospital in Mount Pleasant, Texas, was crippled for a week by ransomware in January, and a hospital in Florida was offline for five days in September after such an attack.
Healthcare providers have become an attractive target for hackers.
“Healthcare organizations deal with highly sensitive health records, payment information and personally identifiable information,” said Ryan Kalember, senior vice president of cybersecurity strategy atProofpoint.
“If information is destroyed, both patient health and the healthcare institution’s ability to provide the best care may hang in the balance,” he told the E-Commerce Times.
“Because of the profit potential, healthcare organizations are widely targeted with these sort of attacks,” Kalember added.
Hospital security can be more challenging than security in other industries, noted Rick Kam, president ofID Experts.
“They’re not like a financial institution or bank that have centralized security functions,” he told the E-Commerce Times.
“They’re about as far from a homogenous environment as you can imagine,” said Eldon Sprickerhoff, chief security strategist ateSentire.
“There are typically dozens of IT vendors, and the hospital IT staff don’t generally have admin access to all these machines,” he told TechNewsWorld. “A lot of them operate as black boxes.”
What’s more, everything is connected to networked storage devices that contain terabytes and terabytes of data.
“They’re a terrific target for these guys,” Sprickerhoff said. “It is the richest data target you can imagine.”
This month, the U.S.Office for Civil Rights, which hands down fines to healthcare providers that violate federal data protection laws, made these recommendations for combating ransomware:
- Back up data onto segmented networks or external devices and make sure backups are current.
- Ensure that software patches and antivirus software are current and updated.
- Install pop-up blockers and ad-blocking software.
- Implement browser filters and smart email practices.
However, whatever measures are taken to thwart digital extortionists, they can all be undone by the weakest link in the security chain.
“Human behavior can always undermine everything,” said Rick Orloff, CSO ofCode42.
“If you educate your employees not to click links in emails and they do it anyway,” he told TechNewsWorld, “that’s a killer.”