A recent “ransomware” cyberattack at Hollywood Presbyterian Medical Center in Los Angeles left clinicians unable to access patient medical records for 10 days in February until the hospital paid hackers a $17,000 ransom in bitcoin. The FBI is currently investigating the attack.
A hospital spokesperson declined to comment on the incident when contacted by ED Legal Letter for this story. In an official statement, the hospital’s president and CEO said, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Raj Mehta, a partner at Deloitte & Touche’s Cyber Risk Services practice, has seen a sharp increase in targeted cyberattacks against healthcare providers.
“Who would have thought several years ago that you could affect healthcare operations, and potentially patient safety, through a cyberattack?” he asks.
Cyberattacks against doctors and hospitals have more than doubled in the past five years, with the average data breach costing a hospital $2.1 million, according to a May 2015 study from the Ponemon Institute, a security research and consulting firm. (The Fifth Annual Study on Privacy & Security of Healthcare Data is available at www2.idexpertscorp.com/ponemon.) Other key findings:
-
Nearly 90% of healthcare providers were hit by breaches in the past two years, half of them criminal in nature.
-
Criminal attacks in healthcare are up 125% since 2010, and are now the leading cause of data breach.
More than half of healthcare organizations don’t believe their incident response process has adequate funding and resources, according to the report.
Mac McMillan, co-founder and CEO, CynergisTek, an information security and privacy consulting firm, says there was “a huge outcry” for information about ransomware attacks after the Los Angeles incident. Not surprisingly, hospital executives and board members wanted to know how to avoid similar attacks.
“The reaction that we are seeing has been pretty pronounced,” McMillan says. “But what if they knew how many of these events are actually occurring all the time?”
The vast majority of attacks never appear in the media.
“There are a number of attacks going on that are not so visible,” Mehta says. “Healthcare is likely the number one targeted industry.”
McMillan is aware of many other hospitals that were hit by ransomware attacks.
“The ones you didn’t hear about are the ones who were prepared,” he explains. If hospitals are unprepared to mitigate the damage of the ransomware attack, though, “chaos ensues, and the local media starts interviewing patients,” McMillan adds. “That’s pretty hard to hide.”
Less Than 5% of IT Budget
The attack is a red flag that hospitals are underinvesting in cybersecurity, according to Tom Kellermann, CTO, Strategic Cyber Ventures.
“Hospitals are incredibly dependent on technology and have massive IT budgets,” he says. “But they are still not investing in protecting networks from cyberattacks.”
In August 2014, the FBI warned that healthcare cybersecurity systems are lax compared to the financial and retail sectors. Healthcare data is worth more money on the black market than credit card data, Mehta explains, because it can be used in multiple ways. Hackers can use it to commit identity theft, medical fraud, for extortion, or to obtain prescriptions for controlled substances.
Hospitals typically invest primarily in physical security, such as guards and cameras, with most spending less 5% of their IT budgets on cybersecurity, according to Kellermann.
“Most of the investment is focused on firewalls and encryption — outdated technology,” he says. “Hospitals should immediately allocate at least 20% of their IT budgets to cybersecurity.”
Damage Is Multifaceted
The ransomware attack against Hollywood Presbyterian “goes to show that as an organization, we are a single incident away from having a significant impact,” says Sanjeev Sah, chief information security officer at Texas Children’s Hospital in Houston.
Media coverage focused largely on the $17,000 ransom that was paid.
“But that’s not the real cost,” McMillan says. “The ransom was minimal compared to the operational cost, in terms of loss of revenue from services.” With the hospital down for 10 days and diverting patients to other health systems, “that undermines confidence in the system on many levels,” McMillan adds.
A secondary infection is likely to exist with ransomware attacks.
“You need to be very diligent to be sure that the network has been properly disinfected after an event,” Kellermann warns. “Otherwise, you can get hit again.”
Should hospitals pay the ransom? David McHale, senior vice president and chief legal officer, The Doctors Company, a medical malpractice insurer, says this depends on these factors:
-
the circumstances surrounding the attack;
-
whether all, or only part, of the system has been compromised;
-
the degree to which recovery or restoration of the system can be achieved.
“If a hospital can fully restore its systems, then that hospital has the option to refuse to pay the ransom — and certainly will be in a better position than the hospital that does not have an electronic backup,” McHale says.
The hospital would also need to consider these questions: How effective is the backup? Is the backup performed frequently enough to have full systems restored? Is the system immune to a second hack, or could the backup be compromised?
“The fact of an electronic backup is not, standing alone, the sole determining factor in whether to refuse to pay,” McHale says.
What Liability Exists?
Telling patients that hospitals will care for their well-being, yet allowing a ransomware attack to harm their virtual well-being, “is not to be tolerated, in this day and age,” Kellermann says.
If a patient suffers harm as a result of a cyberattack and the hospital or EP is sued, Kellermann says hospitals “have two things they can hide behind.” One defense is plausible deniability — that the hospital didn’t know what was going to happen. The other defense is that the data was encrypted. This is not a sufficient defense, according to Kellermann, since the hacker likely has stolen the password to unlock the encryption.
“It’s like saying the suitcase was locked when someone has the key,” he says.
Just as emergency physicians (EPs) protect patients from hospital-acquired infections by washing their hands, they’re also responsible for the virtual health of their patients, Kellermann stresses.
“Every time a doctor looks at an amazing new application, they should also recognize that the criminal community, and nefarious individuals, have figured out ways to get into those things,” he says.
Kellermann says EPs should ask these questions of hospital administrators: Have we had any events? How much are we investing in security? How do we protect our devices? I know we are moving to the cloud, so what is our strategy for security?”
If the hackers sold patient information, the hospital would be subject to claims for damages for identity theft from its patients, investigation by the federal government, and possible fines for violations of the Health Insurance Portability and Accountability Act, McHale says.
If the hospital has confirmed that patient care was not compromised and no personal information of the patients was stolen, the hospital likely does not face much in the way of legal liability, according to McHale. However, “if patient care was compromised, the hospital could potentially face claims of professional negligence,” he says.
Kellermann says the Los Angeles incident should be “a giant red flag to the community at large, that modern healthcare has been virtualized.”
Hospitals are very vulnerable to cyberattacks because of the high-dollar value of healthcare records.
“Healthcare records sell for $70 a record, as opposed to $5 to $20 for credit card or financial records,” Kellermann explains. “The value of healthcare records is dramatically more than any record out there, with the exception of intellectual property.”
Once patients’ healthcare records are sold, this leaves them open to extortion attempts or having lines of credit or equity opened in their names. Extortion campaigns against prominent physicians and patients are another possibility.
“The records have everything to allow you to understand how someone is vulnerable — including their emergency contacts, so you know who they trust — and they can be sent targeted phishing emails [that are infected with malware] accordingly,” Kellermann says.
In some cases, criminal groups pay individuals with hacking expertise to create malware that targets a specific hospital.
“The criminal groups get the ransom out of the target. But the creator of the malware now has a backdoor to conduct a secondary infection,” Kellermann notes.
Cybersecurity experts point to another threat: Life-support machines are becoming more complex, networked, and hackable.
“They are difficult to protect because they don’t have a lot of memory and are difficult to update due to state laws that machine settings cannot be changed unless they are certified,” Kellermann says.
Mobile devices and tablets used by EPs are also vulnerable to attack, putting the organization at risk of contagion. The financial sector and the government banned the practice of using the same password for all devices and public Wi-Fi. However, it is still a common practice in healthcare, Kellermann notes.
“Within the next three years, we will see a terrible event that affects the virtual health of tens of thousands of people that is traced back to a physician violating mobile security policy,” Kellermann predicts. “It hasn’t happened, but it’s inevitable.”
