An important development took place on Wednesday, March 30, in a story that our publication has been covering this week. As HCI Managing Editor Rajiv Leventhal noted in his article, The Baltimore Sun has run a report confirming what some had suspected—that the hacker attack on the 10-hospital MedStar Health system, based in Columbia, Md., and serving the Washington-Baltimore corridor, did in fact involve ransomware, something that had not been publicly confirmed prior to Friday.
The report, by the Baltimore Sun’s Ian Duncan, Andrea K. McDaniels, and Colin Campbell, noted that “The hackers who locked up data on MedStar's computers this week are demanding ransom to begin unlocking it — and they're offering a bulk discount to release all of it, according to a copy of the demands obtained by The Baltimore Sun. The attack was made public by the FBI and MedStar on Monday. A doctor at a MedStar hospital in Baltimore and a second source familiar with the matter confirmed Wednesday that it was launched by hackers seeking payment. The hackers, who have encrypted the data so MedStar users cannot retrieve it, are seeking payment in bitcoins, the hard-to-trace digital currency that can be purchased at online exchanges.”
The Sun’s report went on to say that “MedStar, which operates 10 hospitals and other facilities in the Baltimore-Washington region, declined to discuss the nature of the attack, citing an ongoing investigation.” It did, however, quote Ann Nickels, a health system spokesperson, as saying on Wednesday that its three main clinical information systems had been restored, and that doctors were able to access medical records on at least a read-only basis. Still, the newspaper’s report noted, many patients have been experiencing access and service problems.
According to the Sun, “The ransom note appeared when users in the MedStar system tried to open files on their computers. The hackers directed users to an online ‘wallet’ to pay the ransom. Once it was paid, they said, they would deliver the keys to the data on the dark Web, a hidden part of the Internet where they can better cover their tracks. The wallet is currently empty,” the report noted. “A bitcoin tracking site reports that no funds have been transferred in or out of it.” The source for the ransomware revelation was a physician who was not authorized to discuss the attack publicly, but who told the newspaper that the attack had hit every computer on the health system’s network.
There are several points to make about all this. The biggest one is simply this: this is now the largest health system successfully ransomware-attacked that has been reported in the mainstream media.
In my March 29 blog, written after the revelation of the hack but before Wednesday’s revelation, I quoted Mac McMillan, CEO of the Austin, Tex.-based CynergisTek, and an industry thought-leader, with regard to the fundamental problem of trying to track intrusions and prevent their damage using only in-house human, financial, and technological resources. “Think of it this way,” Mac told me: “an average, medium-sized hospital probably is producing literally tens of millions of logs or events a month. There’s nobody on this planet that has a good enough calibrated eyeball to go through tens of millions of events and could figure out what’s going on. The problem is too big, you can’t do it yourself. This notion that we can test ourselves, that we can monitor our environment, has got to go away. We need those independent, objective experts to do this for us and identify issues, as well as bring the greater awareness. My guys do hundreds of risk assessments a year across the country and tests. Their depth of knowledge is so much broader than that of the guy who’s working at a single hospital. And to take advantage of that experience—that’s what we need to do.”
What’s more, Mac told me, inevitably, “I think that the threat is going to continue to increase in the next few years in a big way. As we become more of a knowledge-based society, more and more responsibility will fall onto technology and data. So this makes sense. And the one thing that healthcare fears more than anything else is not having their data. And ransomware attacks that very vulnerability, fear. So from an extortion perspective, it is the perfect vehicle for attacking vulnerability. And even if it’s not successful, it creates a tremendous amount of disruption.”
So here’s the thing: many of us industry observers, myself included, saw the Hollywood Presbyterian ransomware attack as something of a signal event in the recent history of cybersecurity and cybercriminality in U.S. healthcare. And that was a ransomware attack on a single standalone community hospital. Now, with the revelation that the MedStar cyberattack was a ransomware attack, we have the first widely publicly reported ransomware attack on a broader scale—in this case, involving a 10-hospital health system whose patient care volume, according to its website, in 2015 encompassed more than 143,000 inpatient admissions, 4.3 outpatient visits, and 1.7 million physician office visits. What’s more, the health system employs 1,800 physicians and an additional 4,700 affiliated physicians, not to mention 31,000 staff, including “associates, residents, and fellows.”
The Baltimore Sun article on the situation shared anecdotal (though fully sourced) reports of disruptions to patient care, even as it quoted senior MedStar officials stating that the health system was operating as normally as possible, while its IT experts worked to address the problem. It did, however, also quote Gene Ransom, executive director of MedChi, the state's medical society, as saying that doctors are worried about how the lack of access to electronic medical records could impact patient care. "There is a lot of concern about the potential harm because of this," Ransom told the Sun. "A lot of doctors are concerned that something bad will happen because of this."
Of course, something bad already has happened: physicians and other clinicians have had their world rocked by an attack that has hit them at a point of maximal vulnerability, as they struggle to keep patient care on track without the core electronic health record (EHR) and other clinical information systems that they’ve come to rely completely on, in the past few years. And it has shown the healthcare world—and the hackers—that hacking can bring down, at least temporarily, a large patient care organization, crippling its ability to operate normally.
As terrible as all this is, and there’s absolutely no question that it is all terrible, could this ransomware attack finally force attention to this huge problem, at the highest levels of patient care organizations nationwide, meaning, boards of directors? Until recently, hospital and health system boards tended to fall on the parsimonious side of the ledger when it came to providing the financial and human resources to really get a handle on cybersecurity and cybercriminality. So the one silver lining in this situation might be a truly industry-wide awakening regarding the intense dangers of ransomware-based and other cybercriminal attacks on patient care organizations. And that will include not only the necessity to spend money to access the services needed to address and hopefully proactively prevent, these attacks, or at least their negative impact, but also a tremendous new investment in the ongoing training and education of end-users across every patient care organization, as well as the development of serious strategies on the part of CIOs, CISOs, and really, all the leaders of patient care organizations, working in concert, to defeat these threats.
No one wants to be the victim of this kind of horrible attack, and no one deserves to be. But what’s absolutely clear here is that we have definitively entered a new and every disturbing phase when it comes to data security—and insecurity—in U.S. healthcare. And only concerted, strategic efforts, on the part of c-suites and boards of directors in patient care organizations nationwide, can begin to turn the tide on this increasingly frightening, and discouraging, trend in healthcare.