A Hollywood hospital has been crippled by a cyberattack, with crooks reportedly holding its data hostage and demanding 9,000 in Bitcoin – about $3.4 million – to give it back.
According to NBC, as of Friday, ambulances were being diverted from Hollywood Presbyterian Medical Center, staff were reduced to using pen and paper to take down patient information, departments had to communicate via fax, and patients had to come to the hospital to pick up test results because email servers have been shut down.
The attack started a week earlier, on 5 February.
The hospital has released little information about how the cyberattack was carried out, so we don’t know whether it occurred through a network hack and an emailed ransom message, or through multiple infections of ransomware.
A doctor who requested anonymity told NBC simply that the hospital’s system was hacked and was being held for ransom.
Allen Stefanek, the hospital’s President and CEO, told NBC that the hospital first became aware of the attack when staff began noticing “significant IT issues” and declared “an internal emergency.”
He said that the FBI is investigating. The hospital has also been getting assistance from the Los Angeles Police Department (LAPD) and cyberforensics experts.
Stefanek said that patients aren’t in danger. But as it is, staff can’t access patients’ medical records, including their medical histories, lab results, X-rays or CT scans.
Doctors are reportedly growing frustrated with the delay in resolving the issue, and patients are experiencing delays in care.
Fearing that whatever is behind the attack could get worse, management has forbidden staff to turn on their computers.
The healthcare blog The Medical Quack says that according to its sources, the computer-reliant Radiation and Oncology departments have been completely shut down.
Stefanek said that so far, there’s no evidence that health data has been compromised in what he called a “random” attack:
At this time, we have no evidence that any patient or employee information was the subject of unauthorized access or extraction by the attacker.
We don’t know whether the hospital will pay the ransom to get the files back – it’s obviously a very difficult decision to make. On the one hand, staff need to be able access to patient data. But on the other hand, if the hospital does pay, it would be funding criminals – and with little certainty that the hackers wouldn’t simply come back right away.
The FBI in October caused a stir when it said that it often advises ransomware victims to just pay the ransom.
Joseph Bonavolonta, Assistant Special Agent in Charge of the Cyber and Counterintelligence Program in the FBI’s Boston office, at the time said that the “overwhelming majority of institutions just pay the ransom.”
Victims often get back access to their data after they pay, he said.
Hopefully the hospital can resolve this quickly, and that staff can get back access to those precious records soon.
Image of hospital courtesy of Shutterstock.
Chuck Beyer
Build a house of cards and then wait for a strong breeze.
Tom
No backups? Either they don’t have an IT dept. or the IT dept. is not paying attention. I’d be happy to provide a backup strategy to them for $3M. Of course, it may be that they felt that IT and backups are just a big fat waste of money.
Paul Ducklin
There may be a lot more to it than that. If hackers got into your network and changed all your passwords, for example, you might find correctly restoring your backups would be much, much harder than on a good day…
Tom
No tech wants to do a bare metal restore to recover from a disaster, but I always have recent full system image backups of my servers that I store offline if I have no other option. I do daily hybrid backups to a NAS and cloud storage knowing that they can be compromised. I try to keep my worst-case scenario backups no about a week behind in case an infection appears. I know that if my workstations get infected at the same time, I would have a lot more work, Twenty years ago my network was infected and I spent a long weekend restoring a server and workstations. I try to conform to SOX (US federal act) though I don’t have to. Let’s face it, no one ever said running an IT department was easy, we do it because we enjoy solving complex problems, and occasionally having our boss tell us we did a good job.
mjbcode@runbox.com
I can see a good reason why we’re not being told about the backup systems. All the talking is being done by doctors and managers. Backups are one of those things that we stop people like them having to think about.
mjbcode@runbox.com
… and that’s another throwaway email alias thrown away. How embarrassing.
Paul Ducklin
So, you can’t login to anything, not yout routers, not your database servers, not anything on your Windows domain…
…so you do a factory reset and a bare metal restore on *everything*, which puts you back where you were when the crooks figured out how to break in last time and squeeze you for $3m.
After 72 hours without sleeping (that nap in the patch-panel room doesnt count) you go to bed triumphantly. You come back the next day…
…and they’re back. New price, $4.5m or make an offer.
John Harris
Outside of a good antivirus, what’s the best solution?
Ocean Midge
First thing I would do is remove any connectivity to the outside world. I dare say a hospital’s internal IT systems should remain relatively functional while air-gapped.
Paul Ducklin
That can cut both ways these days…firstly, it can be quite hard to cut a big network off from the internet reliably, given the number of likely interconnections. Secondly, when you’re cut off, updating and fixing things is correspondingly harder. Thirdly, anything cloud-based will stop working, which could be problematic.
Greg
Your first point is nonsense, any half decent IT Dept should be able to get this done with relative ease in a short period of time.
Paul Ducklin
Seriously? In a world of LTE phones that can turn into surprisingly capable acccess points in 30 seconds, and where it’s one email and a credit card number to have a 20Mbit/sec DLS connection piggy-backed on that spare phone line that’s still maintained in Accounts for the postal franking machine,…
…you are certain you could find and cut off *every* inbound and outbound path to the internet for all your computers? On a network that’s already been comprehensively pwned?
Good luck with that. And once you’ve cut yourself off…then you remember that satellite office in Bonn and the Support guy with the training lab in Montpellier and the company you just acquired in Western Australia, and you think, “So how am I going to connect to their networks to do a controlled shutdown?”
No worries, give them a call! Oh dear! The VoIP server is offline. Etc..
Bryan
Colorado has a collaboratively-centralized medical records database (not completely centralized at a technical level, but practically it is). It’s been ~4 years since I worked medical IT, but I recall an in-progress plan to expand this nationwide. A vacationing New Yorker in Florida could be unconscious in the ER and still receive treatment with no fear of hidden complication.
With my medical record online (and yes–hopefully substantially secured) within this system, any facility’s localized crisis should be merely a speed bump, and any hospital should theoretically have access to X-rays from when my Mars lander crashed, fully able to avoid the metal plate in my scalp.
Not that this recovery should be so trivial as a couple PCs and a router from Best Buy, but unless this hospital kept information isolated that it really shouldn’t have…there’s no strong reason to cave to the ransom.
Anonymous
I agree Paul and their backups may now all be encrypted so the most recent may not even be an option
Guest
There’s one thing noticeably missing in the article:
Backups
Please tell us that such critical data was backed up offsite…
Lisa Vaas
We don’t know details such as the hospital’s backup situation. We don’t even know for sure if it was ransomware, given that only one doctor mentioned it, off the record. As of the time we posted, the hospital hadn’t confirmed it.
sergio rodriguez
i saw an episode of CSI Cyber that was the same exact thing
Anonymous
i’m sure they never expected a 100% security, they must have made provision for such occurrences from time to time, don’t you think they know?