An important development took place on Wednesday, March 30, in a story that our publication has been covering this week. As HCI Managing Editor Rajiv Leventhal noted in his article, The Baltimore Sun has run a report confirming what some had suspected—that the hacker attack on the 10-hospital MedStar Health system, based in Columbia, Md., and serving the Washington-Baltimore corridor, did in fact involve ransomware, something that had not been publicly confirmed prior to Friday.
The report, by the Baltimore Sun’s Ian Duncan, Andrea K. McDaniels, and Colin Campbell, noted that “The hackers who locked up data on MedStar's computers this week are demanding ransom to begin unlocking it — and they're offering a bulk discount to release all of it, according to a copy of the demands obtained by The Baltimore Sun. The attack was made public by the FBI and MedStar on Monday. A doctor at a MedStar hospital in Baltimore and a second source familiar with the matter confirmed Wednesday that it was launched by hackers seeking payment. The hackers, who have encrypted the data so MedStar users cannot retrieve it, are seeking payment in bitcoins, the hard-to-trace digital currency that can be purchased at online exchanges.”
The Sun’s report went on to say that “MedStar, which operates 10 hospitals and other facilities in the Baltimore-Washington region, declined to discuss the nature of the attack, citing an ongoing investigation.” It did, however, quote Ann Nickels, a health system spokesperson, as saying on Wednesday that its three main clinical information systems had been restored, and that doctors were able to access medical records on at least a read-only basis. Still, the newspaper’s report noted, many patients have been experiencing access and service problems.
According to the Sun, “The ransom note appeared when users in the MedStar system tried to open files on their computers. The hackers directed users to an online ‘wallet’ to pay the ransom. Once it was paid, they said, they would deliver the keys to the data on the dark Web, a hidden part of the Internet where they can better cover their tracks. The wallet is currently empty,” the report noted. “A bitcoin tracking site reports that no funds have been transferred in or out of it.” The source for the ransomware revelation was a physician who was not authorized to discuss the attack publicly, but who told the newspaper that the attack had hit every computer on the health system’s network.
There are several points to make about all this. The biggest one is simply this: this is now the largest health system successfully ransomware-attacked that has been reported in the mainstream media.
In my March 29 blog, written after the revelation of the hack but before Wednesday’s revelation, I quoted Mac McMillan, CEO of the Austin, Tex.-based CynergisTek, and an industry thought-leader, with regard to the fundamental problem of trying to track intrusions and prevent their damage using only in-house human, financial, and technological resources. “Think of it this way,” Mac told me: “an average, medium-sized hospital probably is producing literally tens of millions of logs or events a month. There’s nobody on this planet that has a good enough calibrated eyeball to go through tens of millions of events and could figure out what’s going on. The problem is too big, you can’t do it yourself. This notion that we can test ourselves, that we can monitor our environment, has got to go away. We need those independent, objective experts to do this for us and identify issues, as well as bring the greater awareness. My guys do hundreds of risk assessments a year across the country and tests. Their depth of knowledge is so much broader than that of the guy who’s working at a single hospital. And to take advantage of that experience—that’s what we need to do.”
What’s more, Mac told me, inevitably, “I think that the threat is going to continue to increase in the next few years in a big way. As we become more of a knowledge-based society, more and more responsibility will fall onto technology and data. So this makes sense. And the one thing that healthcare fears more than anything else is not having their data. And ransomware attacks that very vulnerability, fear. So from an extortion perspective, it is the perfect vehicle for attacking vulnerability. And even if it’s not successful, it creates a tremendous amount of disruption.”
So here’s the thing: many of us industry observers, myself included, saw the Hollywood Presbyterian ransomware attack as something of a signal event in the recent history of cybersecurity and cybercriminality in U.S. healthcare. And that was a ransomware attack on a single standalone community hospital. Now, with the revelation that the MedStar cyberattack was a ransomware attack, we have the first widely publicly reported ransomware attack on a broader scale—in this case, involving a 10-hospital health system whose patient care volume, according to its website, in 2015 encompassed more than 143,000 inpatient admissions, 4.3 outpatient visits, and 1.7 million physician office visits. What’s more, the health system employs 1,800 physicians and an additional 4,700 affiliated physicians, not to mention 31,000 staff, including “associates, residents, and fellows.”