HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Second Californian Healthcare Ransomware Attack Announced

Just a few weeks have passed since Hollywood Presbyterian Medical Center suffered a ransomware infection; now a second ransomware attack has occurred in California, this time affecting the Los Angeles County Department of Health Services.

The ransomware infected 5 computers used by Los Angeles DHS, although officials have reported the ransomware attack has not affected operations. The infection was contained and did not spread laterally to infect the DHS network. While Hollywood Presbyterian Medical Center felt the best course of action was to give in to the demands of the attackers and pay a 40 Bitcoin ($17,000) ransom, officials at LA’s DHS have said they have no intention of paying a ransom to unlock the affected computers.

The latest attack is much less severe than the attack on HPMC and did not resulted in the locking of critical data. The ransomware infection only locked “a few of employees’ systems.” Had the infection spread, LA County DHS may have had little choice but to pay the ransom.

Healthcare organizations have been targeted with malware and ransomware attacks with increased frequency in recent months, although these two ransomware attacks do not appear to have been targeted. Both are believed to have been random attacks.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Reducing the Risk of a Ransomware Attack

Ransomware is commonly spread via spam email. The malicious file-encrypting software can also be downloaded onto computers and networks by other malware. Cybercriminals also use websites hosting exploit kits to probe for security vulnerabilities in browsers and plugins and perform drive-by attacks which automatically download the malicious software onto devices.

One of the best forms of defense is education of the workforce. Employees should be advised of the risk of ransomware and other malware and told to exercise caution. They should be told not open any email attachments sent from individuals they do not know. Education programs should be conducted to advise employees how to identify phishing emails. Phishing email training exercises can also be highly beneficial and can prevent attacks from being successful.

Devices can be protected from drive-by malware downloads by ensuring that browsers are updated, unnecessary plugins are disabled, and if IT departments implement good patch management practices.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.