Hollywood Presbyterian Medical Center paid $17K ransom to unlock its own medical records…
At the time, taking the United States’ wild, messy, unreliable system of medical records online seemed like a worthy goal. “To improve the quality of our health care while lowering its cost, we will make the immediate investments necessary to ensure that, within five years, all of America’s medical records are computerized,” President Obama said. “This will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests.”
This initiative may have improved care but electronic medical records led to quite the unique hostage situation in Los Angeles this week. There, a hospital fell prey to a cyberattack — and has escaped its plight by paying hackers a $US17,000.
Allen Stefanek, president and chief executive of Hollywood Presbyterian Medical Center, explained the situation in this statement;
“On the evening of February 5th, our staff noticed issues accessing the hospital’s computer network,” he wrote. “Our IT department began an immediate investigation and determined we had been subject to a malware attack. The malware locked access to certain computer systems and prevented us from sharing communications electronically.” Stefanek pointed out that medical records were locked from being shared. As reports emerged of the hospital being forced to resort to the pre-historic days of paper charts, at least one patient was feeling the pain.
Stefanek also said that reports of the ransom payment were greatly exaggerated. “The reports of the hospital paying 9000 Bitcoins or $US3.4 million are false,” the statement said. “The amount of ransom requested was 40 Bitcoins, equivalent to approximately $US17,000.”
For a 434-bed hospital with more than 500 doctors that’s generated as much as $US209 million in yearly revenue, perhaps that wasn’t so much. But wasn’t any amount too much? Could anonymous computer wizards potentially compromise care and get away with it?
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek’s statement said. “In the best interest of restoring normal operations, we did this. ”
Experts agreed this was a familiar course of action. “Unfortunately, a lot of companies don’t tell anybody if they had fallen victim to ransomware and especially if they have paid the criminals,” Adam Kujawa of Malware Intelligence for Malwarebytes, a company that recently released software designed to thwart such attacks, told the Associated Press. “But I know from the experiences I hear about from various industry professionals that it’s a pretty common practice to just hand over the cash.”
But Hollywood Presbyterian, owned by CHA Medical Center of South Korea, said not to worry. “Patient care has not been compromised in any way,” Stefanek wrote. “Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access.”
If that’s true, Hollywood Presbyterian has avoided potential disaster. To name just one example of a healthcare-related computer attack, the hack of a hospital operator in Tennessee compromised the personal information of 4.5 million people in 2014. Even police departments have coughed up ransom payments to get their data back. The FBI is investigating the attack on Hollywood Presbyterian, but did not release details.
More Here [theage]