The computer system at Hollywood Presbyterian Medical Center, based in Los Angeles, Calif., has been down for more than a week following a ransomware attack and hackers are demanding $3.6 million to restore the system, according to local news sources.
According to a news report from a local NBC station (NBC4), Hollywood Presbyterian Medical Center president and CEO Allen Stefanek said hospital staff noticed “significant IT issues and declared an internal emergency” Feb. 5. He also said the attack was random, not malicious, and that the hospital’s emergency room has been sporadically impacted since the attack. The outage is due to ransomware that ended up on the hospital’s internal network.
"At this time, we have no evidence that any patient or employee information was the subject of unauthorized access or extraction by the attacker," Stefanek reported to NBC4.
The Los Angeles Police Department and the Federal Bureau of Investigation (FBI) have launched an investigation into the cyber attack.
“A doctor who did not want to be identified said the system was hacked and was being held for ransom. The unnamed doctor said that departments are communicating by jammed fax lines because they have no email and that medical office staff does not have access to email,” the NBC news report stated.
Hospital staff have reported that they cannot pull up electronic patient medical records and are registering patients on paper and they also stated that some patients have been diverted to other hospitals because of the outage, NBC4 reported.
CSO, a publication that covers security and risk management, has reported that hackers are demanding ransom of 9,000 Bitcoin, equivalent to about $3.6 million.
“Based on the information available, it seems like the hospital got hit with a ransomware type of malware, which typically encrypts the data on the computer, or multiple computers, and then requests some kind of payment in order to provide the decryption key so users can access that data,” says Tim Erlin, director of IT security and risk strategy at Tripwire, a software vendor that provides information technolgoy and network security solutions.
“In the IT security industry, we talk a lot about medical device security and it’s noteworthy that this attack that effectively crippled a hospital from delivering patient care effectively did not actually involve the security of medical devices, as far as we know,” he notes. “An attacker can significantly impact a hospital’s ability to deliver care without directly attacking medical devices themselves.”
Erlin advises that hospitals and health systems address these kinds of cyber attacks both from a prevention and a disaster response standpoint.
“Most of it comes down to basic security best practices. Malware may be very sophisticated, but the messages that attackers use to put that malware on a system are not sophisticated, as it usually involves a misconfigured system, a published vulnerability that has been attacked or a human being that has made some sort of mistake,” he says.
As with many other cyber attacks targeting the healthcare industry, there are lessons to be learned.
“Hospitals should take the time to review the configurations of their systems to make sure that they are secure and don’t contain misconfiguration, and they should scan their network for vulnerabilities and have a plan to patch those vulnerabilities. They also need train their staff in how to recognize phishing scams or malicious emails that might lead to an infection,” he says.
Erlin also says hospitals should include these kinds of cyber attacks in their disaster recovery plans. “Systems may be taken off line maliciously, or by other circumstances. It’s important to have procedures in place to protect patients in either case,” he says.
He continues, “The most significant lesson from this incident at this point is that hospitals rely on some of the basic IT systems for effective patient care. And while this malware may not have directly infected a medical device, a CT machine or a MRI, the inability for hospital staff to communicate effectively, to access patient records, does directly affect patient care. So in order to respond to these incidents a hospital needs to build a response plan and a disaster recovery plan to treat this loss of IT assets as a kind of disaster from which they need to recover, and during which time they need to be able to operate effectively. So they should have backup plans for how to communicate and how to access patient records when systems are unavailable.”
In the event that this type of cyber attack does occur, hospitals and health system can mitigate the situation by having a backup that is not connected to the internal network. “Another option is to have devices that can connect to patient records off site, at another hospital or in a centralized system. It depends on the architecture of the system, to a certain extent, but hospitals should consider this – if that computer that’s sitting at the front desk or at the nurses’ station is inaccessible for some reason, then there should be another way to access the information they need to deliver patient care,” Erlin notes.