Healthcare Ransomware Infection Removed After $17K Ransom Paid
Healthcare ransomware infections can cause major disruption and can have a negative impact on patient health. This week, Hollywood Presbyterian Medical Center took the decision to give into a ransom demand and paid cybercriminals nearly $17,000 for a security key to unlock its EHR.
What is Ransomware?
Just as healthcare providers take the decision to use data encryption to prevent criminals from gaining access to patient data on laptop computers and portable storage media, encryption can also be used against healthcare providers. Ransomware locks computer files with powerful encryption. To unlock the data a security key must be used. However, the key needed to unlock the data is held by the cybercriminals behind the ransomware attack.
The security key cannot be cracked like a password. The only way to recover from a healthcare ransomware infection is to pay the ransom or restore all encrypted data from a backup. This is not always straightforward. Backups are not conducted every second, so some data loss is inevitable. Restoring data from backup files is also not always successful and can be a very time consuming process. A healthcare ransomware infection may require all affected computers to be reimaged adding considerably to the recovery time.
While paying cybercriminals to remedy a healthcare ransomware infection is galling, the reality is it may be the cheapest option, and in a healthcare environment the impact locked EHRs have on medical staff and patients can make paying a ransom preferable to the long and difficult process of disinfection, reimaging, and data restoration.
Healthcare Ransomware is a Very Real Threat – Hospital Takes Decision to Pay $17,000 Ransom
On February 5, 2015, Hollywood Presbyterian Medical Center suffered a ransomware attack that locked critical files on the hospital’s computer network, including its electronic health record system.
The impact of the malware infection was felt instantly, with physicians and other hospital staff reporting difficulties accessing patient health records and other critical files. Upon investigation, it was discovered that the malware infection had locked the enterprise-wide computer system.
Initial reports of the hospital receiving a $3.6 million ransom demand were false. An unnamed source told reporters that the cybercriminals behind the attack had demanded 9,000 in Bitcoin to supply the security keys. Allen Stefanek, President & CEO of Hollywood Presbyterian Medical Center confirmed that the ransom demand was for 40 Bitcoin – $16,664 – and that the ransom had been paid. However, not without efforts first being made to remediate the issue without giving into the ransom demand.
The hospital’s computer system was down for well over a week while security experts tried to deal with the infection and bring the system back online. The ransomware attack was reported to law enforcement and attempts were made to discover the identity of the individuals responsible. That investigation is ongoing and it is hoped that the person or persons behind the attack make a mistake and leave a trace that will lead to their arrest.
The decision to pay the ransom was made as it was determined to be in the best interests of patients and staff, as it was the quickest and easiest option to allow the hospital to return to normal service. The EHR was restored on February 15.
The ransomware attack did not prevent patients from receiving medical care, although it did stop the healthcare provider sharing health data electronically.
The security keys were supplied on payment of the ransom allowing the EHR to be unlocked. Computer experts then sanitized the EHR and computer network, and all traces of the malware have now been removed.