Local hospitals are on high alert after news last week of a ransomware attack at Hollywood Presbyterian Medical Center.
Alarmed administrators and information technology staffs at other hospitals are concerned they could find themselves subject to similar breaches.
A hacker earlier this month obtained and encrypted crucial data files for operations at the 434-bed facility in East Hollywood. Without access to those files, staff and physicians were forced to use paper records and reschedule procedures.
Hospital officials paid the ransom demanded by the hacker, in bitcoins worth $17,000, and got their data files back. Operations had returned to normal by early last week.
But experts warn the hospital’s troubles might not be over as threats of lawsuits and government investigations loom.
Meanwhile, other hospitals fear they could be hit next.
“Yes, we are very concerned and IT is on the alert,” said Socorro Serrano, director of media relations and digital programs at Kaiser Permanente Southern California in Pasadena.
Officials at other L.A. hospitals contacted – including Martin Luther King Community Hospital and Keck Medicine of USC – were reluctant to give any specifics, even refusing to comment on whether they are conducting reviews of their cybersecurity protocols in the wake of this month’s ransomware attack.
But cybersecurity experts say they expect hospitals are doing just that. They note hospitals face unique risks if they lose access to their data files.
“Hospitals are in a different league when it comes to not being able to access systems,” said Austin Berglas, head of cyberdefense for K2 Intelligence, an investigation and cyberdefense firm in New York. “In addition to locking up data, criminals could potentially lock up machines connected to life-support systems. This is a critical risk to the health and welfare of patients.”
Paying ransom
Allen Stefanek, Hollywood Presbyterian’s chief executive, said in a statement last week that at no point during the weeklong cyber-ransom incident was patient safety at risk. The encrypted files were mostly internal communications, including scheduling of procedures and lab results. Nonetheless, he made the decision to pay the money.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek said in the statement. “In the best interest of restoring normal operations, we did this.”
Stefanek noted that the ransom amount was 40 bitcoins (equivalent to $17,000), not the 9,000 bitcoins (roughly $3.6 million) indicated in early media reports.
Some hackers demand payment in bitcoins because that cybercurrency is less traceable than conventional currency.
Cyberdefense specialist Berglas said it’s decisions like this that make ransomware attacks so appealing to hackers.
“Once your data is encrypted, there’s really not much you can do except either pay the ransom or learn to live without the data,” he said. Getting around the encryption to access the files or tracking down the hackers in a timely manner is virtually impossible, he added.
Troubles not over?
Even though Hollywood Presbyterian has its data files back, its troubles related to the ransomware attack might not be finished. Lawsuits filed on behalf of patients could be a possibility.
“If any evidence occurs in coming months that the data files were actually viewed – if for example, patients experience an uptick in identity theft – then that is actionable,” said Brian Kabateck, managing partner of downtown L.A. consumer law firm Kabateck Brown Kellner. “But even if there is no such evidence, if it can be shown that the hospital was negligent or careless in the way it guarded its data files, that could still be grounds for a lawsuit. We’ll just have to wait and see how this unfolds.”