As this publication reported on Tuesday, based on a variety of media sources, “The computer system at Hollywood Presbyterian Medical Center, based in Los Angeles, Calif., has been down for more than a week following a ransomware attack and hackers are demanding $3.6 million to restore the system, according to local news sources. According to a news report from a local NBC station (NBC4),” HCI Assistant Editor Heather Landi wrote yesterday, “Hollywood Presbyterian Medical Center president and CEO Allen Stefanek said hospital staff noticed ‘significant IT issues and declared an internal emergency’ Feb. 5. He also said the attack was random, not malicious, and that the hospital’s emergency room has been sporadically impacted since the attack. The outage is due to ransomware that ended up on the hospital’s internal network.” The NBC4 report further quoted Stefanek as telling the television station, "At this time, we have no evidence that any patient or employee information was the subject of unauthorized access or extraction by the attacker.”
In the past 24 hours, a number of additional news reports have been published, though, understandably perhaps, Hollywood Presbyterian senior executives have not spoken publicly about the situation apart from the one interview published by Los Angeles’s NBC4.
Still, regarding the $3.6 million demanded of the 434-bed hospital (formerly known as Queen of Angels-Hollywood-Presbyterian Medical Center) by the hackers, reportedly in the form of 9,000 units of the online payment method Bitcoin, “This is an unusually large amount to ask for,” Stephen Gates, chief research analyst and principal engineer of the Santa Clara, Calif.-based NSFocus IB, told my colleague Neil Versel, who wrote about the situation yesterday afternoon in a report in MedCity News. As Gates told Versel, “Ransomware is a unique kind of malware. It encrypts files on the network and asks for a key code to unencrypt the files. Extortion campaigns are really what they are.”
What’s more, a report Tuesday in WIRED magazine stated this: “As WIRED explained last fall, while ransomware has been around for over a decade, hackers have been embracing increasingly sophisticated methods. In the past, ransomware could only lock down a target’s keyboard and computer; now, hackers can encrypt an infected system’s files with a private key known only to the attacker. That may be what has happened here, according to anonymous hospital sources who told NBC4 that the hackers offered a ‘key’ in exchange for the ransom money. The hospital has yet to officially detail the attack.”
There is a great deal that is unknown in this situation, and it is understandable that the hospital’s senior executives are not revealing publicly what has happened and is currently going on, behind the scenes. It would be foolhardy of them to say, right now. But among the questions I have are these: What forms of cybersecurity and data security were in place at the hospital at the time of the attack? Was the patient data in the electronic health record (EHR—reportedly from the Alpharetta, Ga.-based McKesson Corporation) encrypted at rest? Is the hospital regularly performing behavioral auditing? What kinds of phishing training has taken place for EHR and other clinical IS end-users? Does the hospital have a CISO (chief information security officer), and what kinds of human and other resources does the CISO, if there is one, have?
Additional questions on my mind include: How and when was the ransomware message communicated? Did the hospital have any kind of data replication in place? How have the operations of the hospital’s data center been affected? Did the hospital have a comprehensive disaster recovery and business continuity plan? I would also be curious as to the expertise of any consultants currently involved in helping the organization to resolve this terrible situation.
On a broader level, this whole situation raises the specter of our collective entry into a frightening new world. We all know that healthcare IT leaders are working very hard to try to ensure data security and cybersecurity, but the reality is that the dangers are becoming more menacing all the time now, not less. And independent community hospitals like Hollywood Presbyterian are particularly vulnerable with regard to the kinds of human and capital resources available to master these ever-intensifying issues.
What’s more, the issues are becoming apparent in every sphere of patient care organization activity. The threats are coming from everywhere: from phishing scams aimed at disarming clinical information systems by getting unsuspecting staff members to open loaded e-mails; from straight-out hacks by crime syndicates and even hostile foreign governments; and in the form of cyber-attacks against medical devices, which increasingly are totally connected to EHRs and other clinical information systems.
It is in that context that a new report, “Assessing the FDA’s Cybersecurity Guidelines for Medical Device Manufacturers: Why Subtle ‘Suggestions’ May Not Be Enough,” was published this week by a non-partisan collaborative of organizations called the Institute for Critical Infrastructure Technology. The report asserts that recent guidance from U.S. Food and Drug Administration (FDA) for device makers on cybersecurity, is woefully inadequate.
The report’s authors, ICIT senior fellow James Scott, and Carnegie Mellon University visiting scholar Drew Spaniel, note that, "In practically all matters of cybersecurity within the health sector, the FDA seems to be in a constant state of offering subtle suggestions where regulatory enforcement is needed.” But they add that cyber threats are evolving, “as malicious adversaries develop new malicious code, attack along novel threat vectors, and target different data and victims. The healthcare sector, the report’s authors note, “is at elevated risk to targeted attacks, because lack of regulatory device security and expansive victim pool makes hospitals and healthcare providers tantalizing targets.”
And while what happened this week at Hollywood Presbyterian Medical Center comes out of a different type of threat the words of that reports authors feel particularly resonant right now. And of course, the human element remains preeminent here, particularly if the hackers who have attacked Hollywood Presbyterian were able in any way to involve hospital employees in their terrible scheme (something we know nothing of, and may never find out, if true).
And while this entire situation is deeply lamentable—and certainly, executives at Hollywood Presbyterian have my empathy, as they work to fix the situation—perhaps this incident might serve as a wake-up call for IT leaders across U.S. healthcare. Because things are becoming more and more frightening every day, as was made patently clear this week. And it will take very hard—and very smart—work to address this tsunami of cyberthreats in our industry.
