According to media reports, Hollywood Presbyterian Medical Center in Los Angeles paid a $17,000 ransom to a hacker in order to unlock email and electronic health records that had been encrypted by malware. While the Hospital affirms that patient health was never in jeopardy, the staff’s ability to share the results of X-rays, CT scans, and other medical tests was impacted, likely due to the disabling of their email system1.
Richard Winton at the LA Times reported that the attack on the Hospital began on the 5th February, and that the hospital was not able to regain control of all its computer systems until Monday 15th February. According to sources quoted in the Times article, the hospital paid the ransom before calling in law enforcement sometime during the week of the 8th. At this point, there is no indication that patient records were exposed, only rendered unavailable by a form of ransomware.
Quoted in the LA Times, Hospital CEO Allen Stefanek, said: “The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this".2
In many ways, this story represents a victory for Contingency Planning, as the hospital was able to revert to 'sneakernet' and old-fashioned pen and paper record keeping, without negatively impacting patient care. But significant and concerning questions remain answered.
At what point, and for how long, individual systems were unavailable remains unknown. Likewise, we do not know what happened between the paying of the ransom (remember that it was paid before police were called in sometime during the week of the 8th) and the full recovery of systems on the 15th. Hollywood Presbyterian declined to comment for this interview. One potential explanation for the delay is that law enforcement could have been conducting digital forensics during that time, trying to ascertain who built the ransomware, where it came from and, possibly, what other systems or organizations it might have infected.
As a best practice, the hospital (any business or organization, really) should back-up their data nightly, but whether or not those practices were in place at Hollywood Presbyterian can be added to the list of unknowns. If the Hospital does conduct regular data backups, we do not know if the data was backed up to tape or put in some kind of cloud storage/disaster recovery solution, or if the backup data was compromised as well.
What we do know is that this ransom is significantly larger than previous attacks. Nearly a year ago, several small-town police departments were infected with similar malware, but they wound up paying about $500 to recover their systems3. The size of the ransom demand in this case suggests that attackers may have known what they were targeting and spearphished the hospital specifically, as opposed to just throwing the malware loose on the internet to see how much money it could make.
Without further details on what data backup and IT contingency processes were in place at Hollywood Presbyterian, I can only reiterate my kudos to the hospital for implementing contingency operations and maintaining patient-care throughout this major outage and our concern that so much data is being placed in the digital realm without consideration of the risks and implications of contingency events like a loss of power or corruption of information systems
To mitigate those concerns, we must continue to push for the best practice that information should be regularly backed up and housed separately or firewalled from production environments to ensure that it is not susceptible to the same threats. Furthermore, more emphasis should be placed on scanning back-up data for vulnerabilities before reinstating it, should the backups be infected as well.
Eliot Schmidt is a Senior Consultant at MindPoint Group LLC