By Mike Mu, Director of HIPAA Compliance, e2o Health
If you watched my most recent video on Step 1C, the PHI Matrix, posted two weeks ago, you might remember I did an example about the crypto ware malware threat, and that I ranked it a really high risk rating. I gave an example of an attack or series of attacks throughout Los Angeles county area, with ransom demands under $1000 USD.
Not more than a week after recording the video, Hollywood Presbyterian Medical Center declared an internal emergency due to significant IT issues as a result of a cyberattack on their IT systems. A crypto locker ransomware Trojan virus had infected their medical records systems and encrypted critical information while demanding 9,000 bitcoins (roughly $3.8 million USD) for the key to unlock and restore the data files. FBI are investigating the issue, but in the past they have just recommended to victims that paying the ransom is the quickest and easiest way to get the data back without a decent backup.
The hospital systems were down over a week and a half before the CEO declared a state of emergency. This meant the staff was unable to access patient records for the entire period of time, with staff having to resort to overloaded fax and telephone lines to communicate between departments.
These types of attacks have been rarely targeted specifically in the past, as a lot of these attacks just throw out random hooks to see what they might catch. However, with this enormous ransom demand, it’s clear that the attackers know the value of the data they have seized and adjusted the ransom accordingly.
It was just reported 30 minutes ago by Los Angeles Times (as I write this blog post), that Hollywood Presbyterian has paid 40 bitcoins ransom (roughly $17,000 USD) and gained access to their systems. They paid the ransom before contacting the authorities.
If Hollywood Presbyterian Medical Center had done an SRA with me through HIPAA Watchdog, I would have started by recommending they address this high risk immediately by getting more advanced malware protection, doing a network risk analysis to see what other malware might get through their cyber security measures, have both onsite and offsite backups that go beyond the week in full, plus emergency policies and procedures to handle these situations, and a restoration plan to get their systems back up and running.
At this point, after about a month of systems being down with apparently no good backup, it must be costing them a lot in down-time, resources, money, and patient care quality. Can you imagine all the turned away patients, and having to write on paper forms which then have to be re-entered into the EMR? These attacks are going to be more targeted in the future, and you can bet healthcare systems are going to receive even more attention now. Protect your systems now, before you get hit.