Hollywood Presbyterian Medical Center on Wednesday announced that it paid approximately US$17,000 to resume normal operations after digital extortionists knocked its computer systems offline.
The Los Angeles hospital discovered its computer network infected with ransomware earlier this month. Ransomware is a form of malware that scrambles data and key files on a system and demands a ransom be paid for a digital key to unscramble the data.
After paying a ransom of 40 bitcoins, or $17,000, to the extortionists, the hospital was able to bring its electronic medical record system online, HPMC said. Bitcoins are a digital currency favored by cybercriminals because, like cash, they’re difficult to trace.
“It is important to note that this incident did not affect the delivery and quality of the excellent patient care you expect and receive from Hollywood Presbyterian Medical Center. Patient care has not been compromised in any way,” HPMC CEO Allen Stefanek noted.
“Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access,” he continued.
Initial reports about the incident pegged the ransom at $3.4 million, or 9,000 bitcoins. Those reports were false, HPMC noted.
No Honorable Thieves
Paying ransom might embolden the perpetrators of ransomware, according to Rick Orloff, CSO ofCode42.
“It’s analogous to why the government doesn’t negotiate with hostage takers. It encourages hostage-taking,” he told TechNewsWorld.
If a ransom is paid, it should be done with caution, observed Lee Kim, director of privacy and security for theHealthcare Information and Management Systems Society.
“In the best-case scenario, you will get the decryption key,” she told TechNewsWorld.
“You’ll be up and running and back to normal, but even if that does happen, you really should have some forensics and malware experts in there to make sure that there isn’t any other malware on your systems,” Kim continued.
“Don’t trust criminals to do the honorable thing and not drop additional malware,” she said.
To Pay or Not to Pay
Ryan Kalember, senior vice president of cybersecurity strategy forProofpoint, strongly opposed paying ransoms.
“Even if the attackers keep their word and decrypt your data, there is no guarantee that they will not leave other forms of malware running on the system in order to carry out other crimes, like sending spam emails, launching DDoS attacks, and stealing personal or financial data for use in online fraud and identity theft,” he told TechNewsWorld.
“Paying cybercriminals often funnels money to organized crime and terror groups and should be avoided as a rule to not perpetuate the cybercrime cycle,” Kalember said.
However, whether to pay ransom isn’t a black-and-white proposition, said Scott Gainey, senior vice president forSentinelOne.
“It’s not a yes or no answer. It depends on the systems that were affected,” he told TechNewsWorld.
“Law enforcement has come out strong against paying the ransom for fear it will open up a Pandora’s box, but in this case, patients were being diverted to other hospitals and it was severely affecting the hospital’s business, so they may not have had a choice,” Gainey said.
Moreover, “the cost of cleaning their environment could exceed the ransom that these guys are asking for,” he added.
Lesson Learned
The scale of the attack was relatively minor. “In the grand scheme of things, this attack is not a large one in terms of records breached, as only individual systems were infected with ransomware,” Proofpoint’s Kalember noted.
“What makes it notable is that the attack affected systems involved in clinical care,” he added.
The incident also may change the thinking of healthcare security pros about their systems.
“People often think of healthcare security as preserving confidentiality of data,” said Daniel W. Berger, president ofRedspin, an Auxilio company.
“Health organizations have to start considering the fact that the integrity of the data and the availability of the data is in many ways more important than confidentiality,” he told TechNewsWorld, “because you can have a situation like this where the hospital had to revert to a manual system to provide care because the data wasn’t available.”