Medical facilities may be becoming more lucrative targets for cyber criminals who steal private data or demand ransoms to unscramble hacked computer systems.
There are two simple reasons, according to experts.
One is medical records at hospitals and other health-related facilities contain valuable information such as names, birth dates, and social security numbers.
The other is medical institutions don’t always have the same protective security systems that other businesses might employ.
These concerns were heightened when a Los Angeles hospital announced Thursday it had paid $17,000 in ransom to cyber attackers who had essentially locked up their computer system.
In a statement posted on the facility’s website, officials at Hollywood Presbyterian Medical Center said the attack occurred on Feb. 5. They said the computer system was operating again on Monday, after the ransom was paid.
Officials at the Federal Bureau of Investigation (FBI), which is overseeing the investigation, told Healthline they would not comment on the case at this time.
Why Medical Facilities Are Targets
Criminals tend to target victims based on how valuable their property is and how easy it is to attack.
Medical facilities make the grade on both levels.
Kevin Haley, director of product management for security response at Symantec Corporation, told Healthline that the data at healthcare institutions are an electronic gold mine.
Patient data not only has the same information such as credit cards, it also contains birth dates, social security numbers, insurance records, and other valuable items.
For data thieves, credit cards are a limited resource. They can only be used until a financial institution blocks access.
On the other hand, information on health records can be used to create false identities, fake accounts, and other long-term criminal activity.
The threat was serious enough for the FBI to issue an advisory in 2014 to healthcare providers.
“You can’t easily change your name or social security number, so that makes that information valuable,” Haley said.
Ransom Payments Increasing
This also holds true for cyber criminals who are seeking ransom payments.
Haley said this type of cyber attack is becoming more common because it’s “easy and profitable.”
Data breaches are sophisticated attacks that require follow-up procedures to bring in revenue.
Ransom attacks, Haley added, only require the cyber crook to send out spam emails or infect an ad on a popular website.
All you need is for a small percentage of victims to pay up for the operation to be profitable.
“You’re going to make pretty good money, so cyber criminals are gravitating toward this,” Haley said.
Once a user clicks on an embedded link, the malware infects files that encrypt the computer’s data before freezing access.
A message then appears on the frozen screen demanding payment. Sometimes, the victim is promised a “key” that will unlock the damage.
In some cases, the victims are given a deadline to pay up before the malware destroys all their computer data. A countdown clock is part of some of the “ransom screens.”
Haley said ransom payments on individual’s computers used to be about $300, but that has now risen to an average of $500 to $700.
In the case of a medical facilities’ records, the hackers feel they can demand more due to the value of the data.
“If attackers think they can get more money, then they will,” he said.
At Hollywood Presbyterian, officials felt it was cheaper and more convenient to pay the 40 bitcoins (equivalent to $17,000) the attackers demanded.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” explained the statement attributed to Allen Stefanek, the hospital’s president and chief executive officer.
Haley said Symantec, one of the leading firms for cyber security, recommends victims do not pay the ransom, even if it’s more expensive and time-consuming to fix the problem.
“You are simply giving money to criminals who will profit and then attack other people,” he said.
Why Medical Facilities Are Vulnerable
Cracking into the computer systems of companies like Visa, MasterCard, or Apple is no easy task, even for a sophisticated cyber criminal.
Invading a medical center’s computer system is, comparatively, much easier.
For starters, data security is important to medical facilities but computer security may not necessarily be their forte.
“They can have a lot of equipment running old versions of software,” Haley said. “Their security procedures will definitely determine how vulnerable they are.”
In addition, hospitals and other medical institutions tend to employ large work forces. All it can take is for an employee to make a mistake.
In Hollywood Presbyterian’s case, Haley said, the cyber attack probably happened after one or more employees clicked on a link in a spam email or on an ad on a legitimate website.
The attacker’s malware then wove its way through the hospital’s computer network.
In its statement, Hollywood Presbyterian officials said the attack “did not affect the delivery and quality” of care given to patients at their 434-bed facility.
They added that there is “no evidence at this time that any patient or employee information” was improperly accessed.
According to media reports, hospital employees resorted to fax machines and landline telephones to conduct operations while their computers were locked up. Medical records were jotted down by pen and paper.
Although the Hollywood Presbyterian situation has been cleared up, the issue of computer security is an important one in the industry.
In a statement sent to Healthline, the American Hospital Association (AHA) said computer security is a high priority.
“Hospitals and health systems take seriously their obligation to protect patient data. We encourage them to be vigilant about new cyber risks,” Chantal Worzala, AHA’s vice president of health information and policy operations, said in the statement.
Haley said there are two simple ways for medical facilities as well as other companies and individuals to help protect their data.
One is to upgrade software security on their systems. The other is to back up data files on an external hard drive not directly connected to the main drive.
“It’s unfortunate that this happened, but it is a great wake-up call,” Haley said. “It shows that the consequences of not having proper security can be devastating.”