After having its computer systems knocked offline for more than a week due to a ransomware attack, Los Angeles-based Hollywood Presbyterian Medical Center late yesterday announced it had paid the hackers 40 Bitcoins to regain control of its computer systems.
In a statement date Feb. 17 posted on the hospital’s website, HPMC president and CEO Allen Stefanek referenced the “recent cyber incident which temporarily affected the operation of our enterprise-wide hospital information system” and stated that, as of Monday, Feb. 15, HPMC had restored its electronic medical recorded (EMR) system and “all clinical operations are utilizing the EMR system.”
“All systems currently in use were cleared of the malware and thoroughly tested. We continue to work with our team of experts to understand more about this event,” Stefanek said in the statement.
Stefanek also stated that original reports of the hospital paying 9000 Bitcoins or roughly $3.4 million, are false. “The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000,” he said, while also stating that paying the ransom was the “quickest and most efficient way to restore our systems and administrative functions.”
As previously reported by Healthcare Informatics, a Los Angeles-based NBC news station reported earlier this week that a doctor who did not want to be identified said the system was hacked and was being held for ransom. “The unnamed doctor said that departments are communicating by jammed fax lines because they have no email and that medical office staff does not have access to email,” the NBC news report stated.
At the time, staff at the 434-bed hospital reported that they could not pull up electronic patient medical records and were registering patients on paper and they also stated that some patients were diverted to other hospitals because of the outage, NBC4 reported. And, many media outlets earlier this week reported that the hackers were demanding a ransom of 9,000 Bitcoin.
In the HPMC statement, Stefanek provided extensive details about the incident, representing the first time hospital executives have spoken publicly about the situation apart from the one interview published by Los Angeles’ NBC4.
“On the evening of February 5th, our staff noticed issues accessing the hospital’s computer network. Our IT department began an immediate investigation and determined we had been subject to a malware attack. The malware locked access to certain computer systems and prevented us from sharing communications electronically. Law enforcement was immediately notified. Computer experts immediately began assisting us in determining the outside source of the issue and bringing our systems back online,” he stated.
Stefanek continued, “The reports of the hospital paying 9000 Bitcoins or $3.4 million are false. The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000. The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
In the statement, Stefanek also addressed concerns about patient safety and healthcare delivery during the incident.
“It is important to note that this incident did not affect the delivery and quality of the excellent patient care you expect and receive from Hollywood Presbyterian Medical Center (“HPMC”). Patient care has not been compromised in any way. Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access.”
Stefanek also praised the hospital staff’s response during the incident: “I am very proud of the dedication and hard work of our staff who have maintained the highest level of service, compassion and quality of care to our patients throughout this process. I am also thankful for the efforts of the technical staff as the EMR systems were restored, and their continued efforts as other systems are brought back online.”
And, he thanked the hospital’s patients and community for their “continued trust in Hollywood Presbyterian Medical Center.”
In a blog post about the incident, HCI’s Editor-in-Chief Mark Hagland noted that the ransomware-driven seizure of control of an enterprise-wide hospital information system signals a disturbing new cybersecurity chapter in U.S. healthcare.
Hagland wrote, “On a broader level, this whole situation raises the specter of our collective entry into a frightening new world. We all know that healthcare IT leaders are working very hard to try to ensure data security and cybersecurity, but the reality is that the dangers are becoming more menacing all the time now, not less. And independent community hospitals like Hollywood Presbyterian are particularly vulnerable with regard to the kinds of human and capital resources available to master these ever-intensifying issues.”
Tim Erlin, director of IT security and risk strategy at Tripwire, a software vendor that provides information technology and network security solutions, advises that hospitals and health systems address these kinds of cyber attacks both from a prevention and a disaster response standpoint.
“The most significant lesson from this incident at this point is that hospitals rely on some of the basic IT systems for effective patient care. And while this malware may not have directly infected a medical device, a CT machine or a MRI, the inability for hospital staff to communicate effectively, to access patient records, does directly affect patient care,” Erlin said. “So in order to respond to these incidents a hospital needs to build a response plan and a disaster recovery plan to treat this loss of IT assets as a kind of disaster from which they need to recover, and during which time they need to be able to operate effectively. So they should have backup plans for how to communicate and how to access patient records when systems are unavailable.”