February 18, 2016; Washington Post
Headlines this month of the 434-bed Los Angeles hospital whose operations were compromised by hackers should grab our attention. For ten days, the for-profit Hollywood Presbyterian Medical Center in California lost control of its computer system to a specialized kind of viral attack known as ransomware, which can lock up a computer’s hardware or encrypt files in order to hold a victim hostage. A ransom is then demanded in exchange for release of the system, giving the attack its name.
Allen Stefanek, President and CEO of Hollywood Presbyterian, told the story in a statement.
On the evening of February 5th, our staff noticed issues accessing the hospital’s computer network. Our IT department began an immediate investigation and determined we had been subject to a malware attack. The malware locked access to certain computer systems and prevented us from sharing communications electronically. Law enforcement was immediately notified. Computer experts immediately began assisting us in determining the outside source of the issue and bringing our systems back online.
Administrators were faced with determining the most effective way to continue major operations while negotiating with criminals demanding a payoff of 40 bitcoins—about $17,000 U.S. dollars at the time—to give their system back. While stories differ, it appears that Hollywood Presbyterian paid off hackers prior to calling authorities because they believed it was the “quickest and most efficient way to restore [hospital] systems.”
While the employees were shut out, they were forced technologically back in time: writing down patient orders, exchanging paper, and using faxes. Area hospitals accepted diverted patients who would have otherwise been accepted at Hollywood Presbyterian’s emergency room. Patients were referred to nearby facilities for follow-up on testing compromised during the computer lockdown. Software security company Symantec reports three percent of those attacked pay the ransom. Adam Kujawa, head of Malwarebytes, a San Jose–based company, shared that contacting authorities is not always common. Hollywood Presbyterian did both, ultimately contacting the Los Angeles Police Department and the FBI, which is currently investigating the case. This call for help could have been tied to a need for assistance, or it might have been due to security regulations: According to an article in the L.A. Times, federal law requires that hospitals report any medical data breaches that impact more than 500 people. This would have been the case for Hollywood Presbyterian, with over 27,000 patients seen in their emergency room alone, according to the latest reports from U.S. News & World Report–Health.
Many experts report a rising number of ransomware cases. A 2014 report by Symantec found the number of attacks skyrocketed from 100,000 to 600,000 in 2013. Intel Corp.’s McAfee Labs released a statement this past November that they expect ransomware attacks to increase even more in 2016 due to software sophistication.
Even more concerning to our field is that two reports predicted an increase in targets on hospitals, schools, and police departments. The personal data stored by these organizations was said to be more valuable on the black market. With the average ransom at $300, an article from WIRED raised concern that a larger payoff by Hollywood Presbyterian could result in copycats. These acts on hospitals put “lives at risk [and are] sickening to see,” said Phil Liberman, a cybersecurity expert.
The decision for hospital administrators does seem to be a lose-lose. Though reports to-date suggest that no patient data was stolen at Hollywood Presbyterian, a $17K payoff combined with a 10-day slowdown at a hospital with $209 million in annual revenue seems to be the lesser of two evils when compared to what hospital administrators faced at the UCLA Health System this past July and in Tennessee two years ago. Both are said to have compromised over 4.5M patient records each when faced with large cyber attacks.
As the healthcare system moves toward an electronic health environment with a vision and goal of records shared seamlessly across providers of care, what does all this mean? One article questioned electronic medical records’ improvement on patient care, and others showed an underlying fear of sharing data in a hospital setting. The irony of this fear is that electronic health records (EHR) themselves are themselves focused on patient safety. When implemented correctly, systems such as these have shown dramatic reductions in medical errors. A study conducted by the Carnegie Mellon University Living Analytics Research Centre reported that enhanced EHR adoption accounted for a 27 percent reduction in patient safety errors, a 30 percent decline in negative medication events, and a 25 percent decrease in complications tied to tests, treatments, and procedures. A physician survey by the Office of the National Coordinator of Health Information Technology reported a 52 percent decrease in the number of adverse drug events. Sharing data across providers of care can save not only significant amounts of money, but also save lives in times of patient emergencies and major disasters.
There is no question that cybersecurity is another level of patient security to be taken seriously by administrators—but it is simply one more layer. According to information security consultants TrustedSec in an interview with CBS News, it’s likely that Hollywood Presbyterian did not have good backups they could restore their data from had they not paid the hackers. This responsibility is no different than providing hospital security staff to help assure physical safety within the walls of their facility.
Of course, it’s not just hospitals that should be considering what a talented hack might do to them or their constituents. Still, for most, there’s no reason to run screaming to the nearest high-priced cybersecurity consultant. In the next few months, NPQ will be taking up the issue of cybersecurity and will help guide readers through a reasoned approach to staying safe.—Michelle Lemming