Few stories in the health care sector have been as shocking as the revelation that the Hollywood Presbyterian Medical Center paid almost $17,000 to hackers to restore their data network. The sheer brazenness of such a cyber-attack on a major Southern California hospital startled much of the medical community—and the general public. Coupled with the highly publicized admission from CEO Allen Stefanek that the organization conceded to the demands, this story highlights the increasing vulnerability of health care organizations to cyber-criminals. Although the nature of the crime and the hospital’s very public response sensationalized this story, cyber-criminals have been targeting the health care sector for some time. A report from KPMG found that 81 percent of health care organizations have been attacked by some form of cyber intrusion in the past two years. These attacks, successful or not, have cost the industry more than $6 billion a year. On average, a data breach will cost a hospital almost $2.1 million. In most of the cyber-attacks, criminal organizations are seeking medical records which have a considerably higher value than financial or other personal records. High profile breaches like that involving Anthem or Community Health Systems, Inc. exposed millions of consumers to blackmail and identity theft. In comparison to those attacks, the victimization of a single hospital for only $17,000 appears paltry, but the sophistication of the attack and the limp-wristed response from the Hollywood Presbyterian Medical Center have startled many industry professionals. While the details of the attack remain unpublicized, it is clear that hackers hijacked control of Hollywood Presbyterian’s data network using a “ransomware” program, which locks out administrators until a password provided by the hackers is entered. Hollywood Presbyterian eventually obtained this password by paying the ransom in bitcoins. What concerns so many in the health care and law enforcement community is the complete helplessness of such a large and high profile organization. Stefanek stated that the ransom was paid because it was “the quickest and most efficient way to restore our systems.” Obviously, if they had a cost effective workaround for the ransomware, they would have chosen that; it appears that the hospital decided the cheapest and most expedient solution was to hand over the money. In effect, our most important health care organizations are now at the complete mercy of organized crime. Not only are most of these groups poorly protected—due to limited cyber-defense allocations and burdensome legal mandates—but when these defenses are compromised, many organizations will capitulate to hackers’ demands with little or no resistance. As long as it costs less to do so, medical organizations are perfectly willing to hand over the keys to the kingdom. The Hollywood Presbyterian Medical Center story is the latest in a long line of health care cyber crimes, but it certainly will not be the last. Until hospitals recognize that they are repositories of highly valuable data and take steps that the retail and financial sectors took long ago to safeguard their data assets, more health care organizations will become cyber victims.
Written by: Robert Moghim, M.D., CEO- Moghim Medical Consulting Inc.