By Maggie M. Arcaro
Targeted cyber “hold ups” are on the rise. Last week, Hollywood Presbyterian Medical Center in Los Angeles made headlines after choosing to make a ransom payment to end a ten-day lockdown of their computer system, including their electronic medical records system. A group of cyber attackers used ransomware, a type of malware that takes a computer system hostage by blocking access to the system until a ransom demand is paid, to force Hollywood Presbyterian to make the ransom payment. Some forms of ransomware also display an official-looking legal warning across your screen, claiming you’ve committed a crime and demanding you make a certain payment to avoid legal prosecution or jail.
This type of cyber-attack is particularly concerning for hospitals utilizing electronic medical record systems to perform their clinical activities – the lockdown of these systems is essentially paralyzing. In the case of Hollywood Presbyterian, the ransom demand involved a relatively low payment of 40 bitcoins, which is equivalent to approximately $17,000. During the ten-day lockout period before the ransom was paid, the hospital was forced to use paper and fax machines to transmit information and reroute a number of emergency patients to other hospitals. Ultimately, hospital executives decided that paying the ransom was the fastest way to restore hospital systems and resume normal operations. Since going public about the attack, the hospital has confirmed that no patient records were breached as a result of the incident.
Security experts and law enforcement officials encourage businesses and individuals who are the victims of ransomware attacks to resist paying the ransom demand, as this creates a culture of acquiescence that may encourage cyber attackers to demand increasingly higher payments in order to end a lockdown. Historically, hospitals have been particularly vulnerable to these types of attacks given that many medical systems rely on outdated software. In particular, medical devices with embedded software such as MRI machines, fetal monitors, and IV pumps tend to utilize older software programs with unpatched bugs that are vulnerable to cyber-attacks.
Most ransomware is introduced into computer systems through phishing attacks (i.e., a link sent by email that is inadvertently clicked on by someone). Therefore, ongoing data security training for employees and efforts to increase awareness regarding common attack schemes is one of the most effective and cost-efficient means of defending your business from a cyber-attack. While prevention efforts are certainly crucial, it’s also important to take an offensive strategy by establishing a breach response plan for mitigating the effects of a future attack.
For assistance in developing data security training programs and proactive breach response plans, please contact the author of this post or a member of the Polsinelli Privacy and Data Security team.