3 Lessons We Can Learn from the Hollywood Presbyterian Medical Center Attack

By Rick Kam, President and Co-founder, ID Experts
rick.kam@idexpertscorp.com

The last thing the healthcare industry needs is more cybersecurity threats. Unfortunately, the industry is facing just that with the rise of ransomware attacks, in which hackers use specialized malware to take control of an organization’s or individual’s computer network or resources, demanding a ransom be paid (usually in Bitcoins) to recover the resources.

The recent attack at Hollywood Presbyterian Medical Center (HPMC) provides a typical example of how ransomware works. On Feb. 5, 2016, hackers broke in and locked access to HPMC’s electronic medical record (EMR) system, effectively blocking the electronic exchange of patient information. The hackers used malware to encrypt the data and demanded that HPMC pay a ransom for the decryption key necessary to unlock the data.

Initially it was widely reported that the hackers were demanding an unprecedented 9,000 Bitcoins, or $3.4 million. HPMC denied that story and on Feb. 19 issued an official statement stating that it had paid the hackers 40 Bitcoins, or about $17,000, to obtain the decryption key. Until the ransom was paid, HPMC was reportedly forced to transport some patients to other hospitals, take CT scans and other essential functions offline, and manually perform tasks such as registering patients.

HPMC will be dealing with the fallout for months to come, but how serious is the ransomware threat to the rest of the healthcare industry? Here are three lessons we can learn from HPMC, which can also serve as a wake-up call to healthcare providers and cybersecurity professionals that have yet to put ransomware on their radar.

Lesson #1: The Danger of Ransomware Attacks Is Real and Growing

Healthcare organizations of all sizes should be worried about ransomware attacks. Hackers’ use of ransomware increased 58 percent in the second quarter of 2015, according to a threat report by Intel Security, and a June 2015 public service announcement (PSA) from the FBI’s Internet Crime Complaint Center warned that “ransomware continues to spread and is infecting devices around the globe.”

The FBI also noted that from April 2014 to June 2015, it received 992 complaints related to CryptoWall, with ransom fees generally ranging from $200 to $10,000. CryptoWall-related losses totaled over $18 million—and it is just one form of ransomware (others include CryptoLocker, Cryptodefense, TorrentLocker, and Darkleech). As hackers and ransomware become ever more sophisticated, these attacks are likely to become even more common.

Worse than the overall trends is the fact that it appears the healthcare industry is an increasingly enticing target for ransomware hackers. Just one month before HPMC was victimized, Titus Regional Medical Center in Texas suffered a similar ransomware attack. And Johns Hopkins Chief Information Security Officer (CISO) Darren Lacey was quoted in a Healthcare IT News story as saying, “I see ransomware a lot … a few times a month”—and that was back in December 2015.

Hackers are targeting the healthcare industry for a variety of reasons, including the massive amount of sensitive data that can be targeted, the high value of the data, the perceived weaknesses in healthcare organizations’ cybersecurity protections, and the urgency of patient treatment (making any ransom-related delays untenable).

It’s also worth noting that both the HPMC and Titus Regional attacks targeted smaller, more regional healthcare providers, possibly because they are, or are perceived to be, less prepared for such attacks.

Lesson #2: Take Preventative Steps Now

In a bit of ironic timing, the U.S. Office for Civil Rights (OCR) announced its new Cyber-Awareness Initiative three days before the HPMC attack. Included in the initiative are four suggested strategies for healthcare providers to prevent ransomware attacks:

1. Back up data onto segmented networks or external devices and make sure backups are current.
2. Ensure software patches and anti-virus software are current and updated.
3. Install pop-up blockers and ad-blocking software.
4. Implement browser filters and smart email practices.

These are basic HIPAA security measures that healthcare providers should have in place already, but the threat of ransomware attacks adds urgency to the effort.

Lesson #3: Prepare Early and Respond Quickly to Ransomware Attacks

Ransomware attacks are not much different from more typical data breaches, at least in the way organizations should prepare. Along with following the basic recommendations provided by the OCR, consider taking these steps outlined by Davis Wright Tremaine LLP:

• Make ransomware and other malware attacks part of your risk analysis.
• Provide employee training on information security awareness.
• Procure cyber insurance with cyber extortion coverage.
• Routinely back up electronic protected health information (ePHI).
• Consider performing breach response table-top exercises, with ransomware as a potential scenario.
• Test your monitoring and response processes.
• Test your disaster recovery processes.

You can bet that HPMC is depending on its disaster recovery process right now, and unfortunately it is highly likely that other healthcare organizations will be doing the same in the year ahead. That’s why it’s so essential to recognize the threat of ransomware, take every precaution to prevent an attack, and as always, be prepared for the worst.