Ransomware: The Cyber-Crime Spree Against Hospitals

By: Alexis Rose

Ransomware attacks have become an increasing plague on a number of industries, but there is special concern for the targeting of hospitals and other healthcare providers. Ransomware is a type of malware that infects computers and networks, typically through infected e-mails or advertisements. The malware locks users out of key files or an entire network and the infected computer will display a screen with a ransom demand. The owner of the system is told the network can only be unlocked with a key that must be provided by the hacker, and the key can only be acquired once the ransom is paid. The high value of healthcare files and the vulnerability of hospital computer systems makes the healthcare industry an increasing target for ransomware attacks.

A number of hospitals have paid ransom demands and the demands are only getting bolder. The largest ransom paid was on February 5th by the Los Angeles area hospital, Hollywood Presbyterian Medical Center, which paid $17,000 in bitcoin (a type of online currency that allows cyber criminals to demand larger untraceable amounts of money) to have its system unlocked. The attack on Hollywood Presbyterian was the beginning of a slew of ransom attacks through the months of March and April. In March, three hospitals were hit by ransomware attacks within a few days of each other and in early April MedStar’s system was hit, putting at risk its ten-hospital network. On May 23rd, Kansas Heart Hospital was hit with the boldest attack yet, when the hackers demanded a second ransom. The Wichita-based hospital was hacked and paid a “small amount” of ransom, according to the hospital’s president. However, after the ransom was paid the hospital was not provided with the key to unlock their data. Kansas Heart did not pay the second ransom, but it makes clear a frightening fact that these attacks will likely get worse before a comprehensive cyber-security solution can be found.

The large uptick of ransomware attacks has sparked concern amongst many security experts and the government. The Senate Judiciary Committee held a hearing on May 28th about the broader issue of ransomware attacks across industries, but the discussion was largely focused on the healthcare industry. Adam Meyers, an expert who has worked in the cyber-security field for over fifteen years, testified in front of the Committee and urged the medical industry to train its personnel in spotting suspicious e-mails and links. He also highly encouraged hospitals to have a separate back-up network, which allows the hospital to more easily recover files that may otherwise be lost forever.

The College of Healthcare Information and Management Executives (CHIME) also provided a statement to the Committee with their recommendations for combatting ransomware attacks.  In the statement made by CHIME, the group pointed out that much of the IT money and resources in the medical industry have focused on HIPPA regulations and patient file privacy, rather than network security. CHIME recommended that policymakers give the health industry incentives that will encourage investment in IT. CHIME also recommended that Congress reduce the complexity of the regulation that commands the healthcare industry. By having more uniformed and less complicated security regulations healthcare providers can spend more time and money monitoring against daily threats. Alisa Walker, a partner at Baker Donelson, a top health law firm, wrote last month about the importance of a comprehensive preparedness plan. She recommends that hospitals (as well as other industries) treat ransomware threats similar to any other physical security threat.

It is clear that ransomware attacks will continue to climb and both the healthcare industry and lawmakers will have to make significant changes in how these threats are handled. Lawmakers have to create serious cyber-security regulations and the healthcare industry will have to use significant time and resources to comply.