Beginning on February 5, 2016 hackers seized control of Hollywood Presbyterian Medical Center’s (HPMC) data systems using sophisticated encryption technology in one of the largest ransomware attacks ever. The hackers then contacted the hospital’s staff and demanded an undisclosed monetary payment in exchange for restoring the systems to normal.
For approximately two weeks, the hackers had control of the systems. During that time, the hospital had no access to ePHI, had to write records by hand, and had only the use of telephone and fax machines. On February 15th, the hospital paid the hackers roughly $17,000 in the form of 40 Bitcoins.
Two days later, HPMC released a statement concerning these events. In that statement, Allen Stefanek, President and CEO of the hospital said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Considering what was at stake, HPMC paying just $17,000 to resume normal operations seems justified. But succumbing to a ransom demand may encourage copy-cat crimes and repeat offenses. Additionally, it’s unlikely that this will be the last we hear of HPMC’s troubles – the attackers most likely left themselves an entrance for later use. On the bright side, to date HPMC has not reported that the hackers accessed any ePHI however, further investigation is needed to be certain.
For a few years now, the fear that hackers could impact patient care has been in the back of the minds of many in the healthcare IT industry. With the development of the Internet of Things (IoT) and smart devices such as pacemakers, insulin pumps, etc., the threat has never been more real. So far HPMC has not reported any adverse patient events that can be attributed to the recent loss of access to their systems. But the threat of hackers interfering with patient care – even costing lives – still stands as a potential future reality.
Hospitals have long lagged other industries in the maturity level of their security posture. It has been abundantly clear that simply meeting and maintaining HIPAA compliance does not necessarily equate to a lowering of the risk of data breach. HPMC is very likely HIPAA-compliant but that did not prevent the recent attack. Increased investment in security is needed across the board, in products, services, and expertise.
A recent IDC study shows healthcare providers heading in the right direction. Smaller hospitals are prioritizing “infrastructure and datacenter security”, while larger hospitals are prioritizing “cloud security requirements”. The increased spending and additional security resources are a much needed and welcomed change. Now the hard part – use those resources and expertise to drive down real security risk.
It is not an easy task. The complexity of healthcare security as well as the diversity of emerging attack vectors is truly a force to be reckoned with. Worse, the recent hacking attack was successful in crippling the operations of a health provider, rather than simply stealing patient info. Hopefully, other providers will take note. The risk is far greater and potential repercussions enormous. It is time to make network, application, and personnel security a mission-critical priority.
Should HPMC have given in to extortion demands? It is not for us to say. The moral of the story is that it could happen to you. Now more than ever, it is imperative that the healthcare industry goes above and beyond HIPAA compliance to effect security management.