The CEO says the hospital gave $17,000 to attackers who took control of their system through malware.
Ten days of a computer freeze at a Los Angeles hospital are over, now that the Hollywood Presbyterian Medical Center has paid ransom, the CEO said in a statement.
The amount, he said, was 40 bitcoins, equal to about $17,000.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said CEO Allen Stefanek.
“In the best interest of restoring normal operations, we did this,” he said.
The hospital staff first noticed computer problems on February 5. The EMR, or electronic medical record system, was finally restored on February 15, according to the statement.
“All systems currently in use were cleared of the malware and thoroughly tested,” the CEO said. “We continue to work with our team of experts to understand more about this event.”
To pay or not to pay
In any ransom case, there may be agonizing questions about whether to acquiesce to the attackers’ demands.
“From a theoretical stance, a ransom should never be paid,” said Travis Smith with Tripwire.
“However, there is an emotional connection to data,” he added. “For users, this emotional connection has been around family photos and other private documents which could not be replaced. For organizations, the connection is more monetary than emotional.”
It was not a question of life and death, according to Hollywood Presbyterian Medical Center. The hospital said patient care was not compromised during the attack. Some patients were sent to other hospitals, reports said.
“The hospital can scale down its operations and divert patients to maintain a high level of patient care,” said Jim Feely with Archer Security Group. “The decision to pay the ransom was purely a business decision. They chose the fastest way to return to full capacity.”
Hospital health security
Cybersecurity experts say backing up data is important to protect hospitals from these kinds of attacks. If an attacker encrypts your data so you can’t access it, you could turn to the backup.
“Backups are a huge component of reducing the risk of ransomware,” said Smith.
“When an organization has backups from the night before the attack, the cost of overwriting the encrypted data with real data becomes more cost-effective than paying the ransom to criminals,” he said.
The cost of protection
A well-planned backup and recovery plan can dramatically reduce the cost of an attack, said Feely.
“A good backup and recovery plan comes at a cost, though,” he said. “With HIPAA security and privacy requirements, a hospital can’t just backup to any low-bid cloud backup provider.”
Rebuilding a system and restoring data after an attack can also be costly.
“The hospital likely has recovery procedures in the event the system has to be rebuilt or restored from backup, but it may have been more cost-effective to pay the ransom,” said Steven Parker with Archer Security Group.
“This may simply be a case of effective pricing more than a devastating attack,” he added.
New business model?
Attackers may be able to figure out the real cost of protecting and restoring data, and then make smart business decisions of their own, said Feely. They could set their ransom somewhere below that cost, knowing that businesses may compare the numbers and give in.
“What happens if crypto-ransomware criminals undercut the cost of an effective backup and recovery system?” he asked.
“Let’s say the ransom is $2,000,” Feely said. “We could be on the leading edge of a crypto-ransomware plague.”
Not again
Cybersecurity experts say hospitals and other organizations that have fallen victim are not immune to future ransomware attacks.
“‘What are the chances of this happening again?’ should be high on the list of concerns,” said Daniel Lance with Archer Security Group.
“Anytime you go from zero-defense architecture to active defense, you will be tempted to overlook the basic problems that got you in trouble in the first place,” he added.
Smith recommends not just backups, but also a close look at who has access to what.
“Ransomware is only able to encrypt data it has access to, so it’s important to have a clear understanding of which employees have access to the organization’s critical data,” he said.
“Attack vectors such as ransomware make a clear justification of the principle of ‘least privilege,’ giving employees the minimum amount of access required to complete their jobs,” said Smith.
Who is next?
This incident should serve as a warning for other medical centers, some experts say.
“I hope hospitals and clinic executives all over the country take notice of this,” said Feely.
“Crypto-ransomware is real, relatively easy to implement, and profitable,” he explained.
“They need to take stock of their exposure and commit reasonable resources to develop and maintain protections and business continuity plans,” Feely said