Hollywood Presbyterian Medical Center makes headlines by opting to pay bitcoin ransom in order to quickly regain control of its computer systems
In recent weeks, hackers temporarily shut down MedStar Health—one of the biggest healthcare systems in the Washington, D.C. region—in the latest example of why cyberattacks are a threat not only to hospitals, but to anatomic pathology labs and clinical laboratories as well.
This latest incident is another example of a “ransomware” attack in which cybercriminals lock out computer users from accessing critical records and files. They then extort money by posting a digital ransom note warning users they must pay a ransom amount within a specific number of days if they want the digital key that will release their data.
According to the Associated Press, there were 2,453 reports of ransomware hackings in 2015, resulting in more than $24 million in damages. This total includes paid ransoms, remediation costs, lost productivity, and other expenses.
MedStar Resorts to Paper Records During Cyberattack
MedStar operates 10 hospitals in Maryland and Washington, employs 30,000 staff, and has 6,000 affiliated physicians. The health system was forced to shut down its computers and e-mail during the March 28 attack, which also prevented patients from booking appointments.
While MedStar did not openly describe the attack as ransomware, the Washington Post reported that a woman who works at MedStar Southern Maryland Hospital Center sent the newspaper an image of the ransom note, which demanded the healthcare provider pay 45 bitcoins (a virtual currency equivalent to roughly $19,000) in exchange for the digital key. The FBI also is investigating the virus behind the incident.
Richard Alcorta, MD, Maryland State Medical Director, called the attacks a “form of terrorism.”
“People view this, I think, as a form of terrorism and are attempting to extort money by attempting to infect them with this type of virus,” Alcorta told the Baltimore Sun.
Patient Care Was Affected During Attack
MedStar reported that all facilities operated safely throughout the crisis. However, the Washington Post described the immediate aftermath of the cyberattack as “chaotic” in at least one location, where seldom-used paper charts provided less comprehensive patient information and staff could not rely on the computer system’s built-in safeguards.
A nurse who worked at MedStar Washington Hospital Center outlined the challenges the staff faced during the first evening without access to computers. In one example, she told The Washington Post that clinical laboratory test results took longer to process. This resulted in one patient continuing to receive a powerful antibiotic that should have been discontinued.
“The medication should have been stopped eight hours earlier,” the nurse stated.
By April 4, MedStar reported clinical and administrative systems were “almost fully back online,” with “unique, site-specific” issues being resolved on a “real-time basis.”
MedStar Claims Media Reports ‘Inaccurate’
In the days following the MedStar attack, media reports surfaced claiming the hospital system had been left vulnerable to attack because server software had not been adequately updated with available patches. On April 6, MedStar officials released a statement refuting that allegation.
“News reports circulating about the malware attack on MedStar Health’s IT system are incorrect. Our partner Symantec, a global leader in cybersecurity, has been on the ground from the start of the situation and has been conducting a thorough forensic analysis. … In reference to the attack at MedStar, Symantec said, ‘The 2007 and 2010 fixes referenced in the article were not contributing factors in this event.’”
Cyberattacks Affect Hospital Daily Operations
But the MedStar attack does highlight a disturbing trend. It follows a March 18 incident at Methodist Hospital in Henderson, Kentucky, which declared an internal state of emergency after its computer systems were infected with ransomware that limited their use. CNN Money reported that the hospital was able to get back up and running within five days by relying on backup copies of information stored elsewhere. Methodist Hospital reportedly did not pay the four bitcoin (roughly $1,656) ransom.
“One thing I think is becoming clear, especially over the last few weeks or months, is that healthcare is rapidly becoming a target for this,” Daniel Nigrin, MD, MS, Senior Vice President and CIO at Boston Children’s Hospital, told the Washington Post. Boston Children’s Hospital’s network came under attack by the hacker collective Anonymous in April 2014. “What struck us at that point was—you know what? These attacks can do a lot more than get your data. They can really disrupt the day-to-day operations of your facilities,” Nigrin said.
Earlier this year, Hollywood Presbyterian Medical Center in Los Angeles announced it was paying approximately $17,000 in bitcoin currency to regain control of its computer system, which hackers seized on Feb. 5 through an infected e-mail attachment.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” Hollywood Presbyterian Medical Center President and CEO Allen Stefanek wrote in a Feb. 17 statement posted on the hospital website.
Ransomware hackers typically keep ransom amounts low in order to increase the likelihood of being paid.
Other Attacks on Healthcare Systems
Ransomware isn’t the only cyber threat targeting healthcare information systems. On Feb. 29, Dark Daily reported on the computer virus that crippled the pathology department at the Royal Melbourne Hospital in Australia. In that instance, malware spread through the hospital system by targeting computers running Microsoft Windows XP, a 14-year old operating system Microsoft no longer supports. (See Dark Daily, “Virus Attacks Hospital’s Medical Laboratory Department Computers, Crippling Workflow and Spreading to Other Departments,” February 29, 2016.)
Craig Williams, Senior Technical Leader and Manager, Cisco Talos Security Intelligence and Research Group told Ars Technica that healthcare organizations often make themselves easy targets for hackers.
“A lot of people in the healthcare industry—they set up websites in a kind of fire and forget fashion,” Williams explained. “They hire an IT guy, they get the billing system set up, hook it up to the website, and then they never touch it again. That’s the perfect environment for this type of malware to thrive in because it’s not maintained. They have no fulltime security staff and few if any fulltime administrators. As a result, the software just goes unpatched.”
All of the examples provided about ransomware attacks on hospitals in the United States and the medical laboratory of the hospital in Australia are an early warning to clinical lab managers and pathologists. It is time for all labs to review the ability of their information technology to withstand cyberattacks, particularly those where a ransom is demanded by the hackers.
—Andrea Downing Peck