Skip to content Skip to navigation

Does the Hollywood Presbyterian Hack Represent a Frightening New Chapter in Healthcare Cybersecurity?

February 17, 2016
by Mark Hagland
| Reprints
The apparent ransomware-driven seizure of control of the IS at Hollywood Presbyterian Medical Center signals a disturbing new cybersecurity chapter in U.S. healthcare

As this publication reported on Tuesday, based on a variety of media sources, “The computer system at Hollywood Presbyterian Medical Center, based in Los Angeles, Calif., has been down for more than a week following a ransomware attack and hackers are demanding $3.6 million to restore the system, according to local news sources. According to a news report from a local NBC station (NBC4),” HCI Assistant Editor Heather Landi wrote yesterday, “Hollywood Presbyterian Medical Center president and CEO Allen Stefanek said hospital staff noticed ‘significant IT issues and declared an internal emergency’ Feb. 5. He also said the attack was random, not malicious, and that the hospital’s emergency room has been sporadically impacted since the attack. The outage is due to ransomware that ended up on the hospital’s internal network.” The NBC4 report further quoted Stefanek as telling the television station, "At this time, we have no evidence that any patient or employee information was the subject of unauthorized access or extraction by the attacker.”

In the past 24 hours, a number of additional news reports have been published, though, understandably perhaps, Hollywood Presbyterian senior executives have not spoken publicly about the situation apart from the one interview published by Los Angeles’s NBC4.

Still, regarding the $3.6 million demanded of the 434-bed hospital (formerly known as Queen of Angels-Hollywood-Presbyterian Medical Center) by the hackers, reportedly in the form of 9,000 units of the online payment method Bitcoin, “This is an unusually large amount to ask for,” Stephen Gates, chief research analyst and principal engineer of the Santa Clara, Calif.-based NSFocus IB, told my colleague Neil Versel, who wrote about the situation yesterday afternoon in a report in MedCity News. As Gates told Versel, “Ransomware is a unique kind of malware. It encrypts files on the network and asks for a key code to unencrypt the files. Extortion campaigns are really what they are.”

What’s more, a report Tuesday in WIRED magazine stated this: “As WIRED explained last fall, while ransomware has been around for over a decade, hackers have been embracing increasingly sophisticated methods. In the past, ransomware could only lock down a target’s keyboard and computer; now, hackers can encrypt an infected system’s files with a private key known only to the attacker. That may be what has happened here, according to anonymous hospital sources who told NBC4 that the hackers offered a ‘key’ in exchange for the ransom money. The hospital has yet to officially detail the attack.”

There is a great deal that is unknown in this situation, and it is understandable that the hospital’s senior executives are not revealing publicly what has happened and is currently going on, behind the scenes. It would be foolhardy of them to say, right now. But among the questions I have are these: What forms of cybersecurity and data security were in place at the hospital at the time of the attack? Was the patient data in the electronic health record (EHR—reportedly from the Alpharetta, Ga.-based McKesson Corporation) encrypted at rest? Is the hospital regularly performing behavioral auditing? What kinds of phishing training has taken place for EHR and other clinical IS end-users? Does the hospital have a CISO (chief information security officer), and what kinds of human and other resources does the CISO, if there is one, have?

Additional questions on my mind include: How and when was the ransomware message communicated? Did the hospital have any kind of data replication in place? How have the operations of the hospital’s data center been affected? Did the hospital have a comprehensive disaster recovery and business continuity plan? I would also be curious as to the expertise of any consultants currently involved in helping the organization to resolve this terrible situation.

On a broader level, this whole situation raises the specter of our collective entry into a frightening new world. We all know that healthcare IT leaders are working very hard to try to ensure data security and cybersecurity, but the reality is that the dangers are becoming more menacing all the time now, not less. And independent community hospitals like Hollywood Presbyterian are particularly vulnerable with regard to the kinds of human and capital resources available to master these ever-intensifying issues.

What’s more, the issues are becoming apparent in every sphere of patient care organization activity. The threats are coming from everywhere: from phishing scams aimed at disarming clinical information systems by getting unsuspecting staff members to open loaded e-mails; from straight-out hacks by crime syndicates and even hostile foreign governments; and in the form of cyber-attacks against medical devices, which increasingly are totally connected to EHRs and other clinical information systems.

It is in that context that a new report, “Assessing the FDA’s Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle ‘Suggestions’ May Not Be Enough,” was published this week by a non-partisan collaborative of organizations called the Institute for Critical Infrastructure Technology. The report asserts that recent guidance from U.S. Food and Drug Administration (FDA) for device makers on cybersecurity, is woefully inadequate.