Holding your doctor & your records hostage

Hospitals may need to give themselves a check-up after hackers take over a computer system and demand ransom.

“Miracles happen here,” says the website belonging to Hollywood Presbyterian Medical Center in Los Angeles. The miracle now may be finding a way to get the hospital’s computers back without paying a $3.6 million dollar ransom.

The hospital’s CEO declared an internal emergency, reported NBC Los Angeles.

Anonymous hospital staff members told NBC Los Angeles that the hospital’s computers are being held for ransom, and that they are having to use jammed fax lines to try to communicate. Some patients are being transported to other hospitals, the station reported, and all registrations and medical records are being written on paper.

“The attackers are asking for 9,000 Bitcoin (approximately $3.6 million) in exchange for giving the hospital access to the systems again,” reported Help Net Security.

“Ransomware has certainly hit the big time,” said Patrick Coyle with Chemical Facility Security News. “Instead of the couple of hundred dollars normally charged to decrypt a computer, we now have $3.6 million for a network of computers.”

“If this ransom is paid, we will certainly see a rise in this scale of attacks,” he added.

Easy targets

Some cybersecurity experts say medical centers are easy for online criminals to hit.

“Hospitals are great targets for ransomware,” said Jim Feely with Archer Security Group. 

“Their EHR [electronic heath record] systems are centralized, making a target that can wipe out the productivity of all the providers in one step,” he explained.

“They generally spend a lot on the EHR, but not a lot on the IT staff. It’s not uncommon for hospital IT departments to be overworked and focused on daily operations rather than robust security,” Feely said.

Security at Hollywood Presbyterian

Archer News contacted Hollywood Presbyterian Medical Center to find out more about the attack and the hospital’s security. However, we were sent to a voice mail box that is full and no longer accepting messages, with a voice message that says, “We want to assure you that patient care has not been compromised as we continue to address this incident.”

Archer News left a message with the hospital administration but has not heard back as of the time of this post.

Cybersecurity experts say it is clear from the information reported that the hospital did not do enough to protect itself.

“They didn’t have a comprehensive backup plan, with off-site encryption,” said Daniel Lance with Archer Security Group. “If they did, then they would be running again with a shiny new firewall and a red team watching the door.”

A red team is a group of people working to test your computer defenses by attacking you as if they were criminals trying to get in.

The hospital is working with the FBI, Los Angeles police, and a computer forensics firm, according to Help Net Security.

“Forensics teams are great,” said Lance, “But if you want to keep yourself from pulling out the fax machines and licking stamps, you need to invest in good defensive security that will enhance your business in ways you don’t always expect.”

“I’m sure this hospital would agree,” he added.

Not the first time

Other hospitals and doctor’s offices have been hit by ransomware attacks as well.

Hackers held a Texas medical center’s system for ransom last month, reported the Daily Tribune in Mount Pleasant.

The ransomware encrypted files, affecting the hospital’s ability to get to and add information to electronic medical records, as well as communicate between departments, the hospital’s public information office said in the article.

“It’s just like in the 1970’s, before electronic medical records. Everything is on paper and people are serving as runners. There’s no automation,” information officer Shannon Norfleet said, according to the Daily Tribune.

In September, hackers took over a computer system at a veterans hospital in Tampa, shutting it down for five days and demanding payment, said the Tampa Tribune.

In 2012, the Surgeons of Lake County’s offices in Illinois announced they were victims, with attackers encrypting their files and asking for money, reportedly affecting 7,000 people.

Cybersecurity experts have been warning about the danger of weak Internet security in health care organizations for some time.

“The crypto-ransomware can really be devastating to the operations of a business, but we’ve known about it for a while,” said Feely. 

Getting easier

2016 will be the year of online extortion, according to Trend Micro.

The tools to do this kind of attack are now easier to find and easier to use, said Lance.

“In the past when you wanted to hit a big target—terabytes of data—to hold ransom, you had a huge barrier to entry,” he explained. “You had to get the data out low and slow, then notify them that you had the keys to the kingdom.”

This may have been the case in a 2014 ransom demand in Illinois.

A small hospital there said it received an e-mail asking for payment, or the sender would reveal the information of more than 12,000 patients who went to the clinic during or before 2012. The hospital said the sender sent a sample of patient information in the ransom e-mail, including names, Social Security numbers and dates of birth.

In the latest attack in Los Angeles, it is possible that the hacker could have simply sent hospital workers an e-mail with the malware in it.

“In this case, all the attacker has to do is get the exploit in the system and wait for verification, so it’s a much easier hand of cards to play,” said Lance.

Protection

Cybersecurity experts say there are steps hospitals and companies can take to gird themselves against ransom attacks.

Ransomware gets on the network through phishing and e-mail attachments, so companies should make sure they have protection against that, Feely said. 

They should separate their networks, said Coyle.

“There is absolutely no reason that medical devices, patient records, and administrative tools all have to be on the same network,” he said. “If there had been proper network segmentation—separation of the different types of users—the scale of this problem would be greatly reduced.”

 They should also focus on speedy recovery of infected systems, said Feely.

“Businesses need a good recovery plan that includes backing up the systems and the data, and verification that everything can be restored quickly,” Feely said. “Offline system backups would be particularly effective against ransomware, since it has the ability to attack network storage as well.”

Hospitals can go to “manual mode,” he said. But it could be expensive.

“Manual workflows take more time, taking profit right off the top,” said Feely. “If a large hospital loses 20% or more of it’s productivity—billable events—to a ransomware attack for an extended period, it’s probably going to consider paying a ransom. “