Administrators at a Los Angeles hospital facing a ransom demand from hackers who hijacked its computer network just gave their enemies 17,000 reasons to repeat their behavior.
Allen Stefanek, CEO of Hollywood Presbyterian Medical Center in Los Angeles, transferred $17,000 in digital currency bitcoins to hackers holding the hospital’s computer system hostage using “ransomware,” a sophisticated encryption that takes a key to unlock, CBS News reports.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said. “In the best interest of restoring normal operations, we did this.”
Hackers took over the hospitals computers Feb. 5, and it took 10 days before they were back in order. A “source familiar with the investigation” told the news site the hospital paid off the hackers before contacting the authorities.
“If they decided to pay the ransom, it probably means that they didn’t have very good backups, they weren’t able to recover the data, and that the data would have been lost if they didn’t pay the ransom,” security expert Dave Kennedy said.
The Los Angeles Times reports that federal law requires hospitals to report medical data breaches that impact more than 500 people. Hollywood Presbyterian, which is owned by CHC of South Korea, is a 434-bed facility.
Stefanek said the hospital used paper records while computers were down, and alleged hospital records were not compromised.
“I have never heard of this kind of attack trying to shut down a hospital. This puts lives at risk, and it is sickening to see such an act,” cybersecurity expert Phil Lieberman told the Times. “Health management systems are beginning to tighten their security.”
Federal records show that at least 158 facilities, from medical providers to insurers to hospitals, have been hacked or compromised patient records since 2010.
“Last July, hackers have accessed as many as 4.5 million patient records in the UCLA Health System’s computer network,” according to the Times.
Los Angeles Police initially investigated the breach at Hollywood Presbyterian when hospital officials reported the problem last week, but the FBI has since taken over the case.
CBS News reports it’s unclear whether law enforcement or technology experts influenced the hospital’s decision to pay up, but noted that most computer security consultants don’t think it’s the best route.
“Unfortunately, a lot of companies don’t tell anybody if they had fallen victim to ransomware and especially if they have paid the criminals,” said Adam Kujawa, Head of Malware Intelligence for Malwarebytes, which recently developed anti-ransomware. “I know from the experiences I hear about from various industry professionals that it’s a pretty common practice to just hand over the cash.”
And it doesn’t seem as though the problem is going away any time soon.
From CBS News:
During 2013, the number of attacks each month rose from 100,000 in January to 600,000 in December, according to a 2014 report by Symantec, the maker of antivirus software.
A report from Intel Corp.’s McAfee Labs released in November said the number of ransomware attacks is expected to grow even more in 2016 because of increased sophistication in the software used to do it. The company estimates that on average, 3 percent of users with infected machines pay a ransom.
Leave a Comment
COMMENTS POLICY: We have no tolerance for messages of violence, racism, vulgarity, obscenity or other such discourteous behavior. Thank you for contributing to a respectful and useful online dialogue.