If last year was the year of attacks on health insurance companies, this year seems to be the year of attacks on hospitals.
Hollywood Presbyterian Medical Center. Henderson Kentucky Methodist Hospital. Desert Valley and Chino Valley hospitals in Southern California.
Now it is Medstar Health. Medstar runs 10 hospitals and 250 outpatient clinics and has more than 30,000 employees in the D.C. and Maryland area.
On March 28th, Medstar starting shutting down systems due to a what their P.R. department called a virus attack.
For some reason, the hospital refuses to call it a ransomware attack, but employees say that they saw a ransom note on the screen saying they wanted a ransom of 45 bitcoins or around $19,000. The attackers say that if the hospital does not pay the ransom in 10 days, the attackers will delete the encryption key.
While the hospital P.R. folks say that patient safety was not at risk, employees disagree with that saying that critical safety controls are down. Nurses say that the paper records that they are using are far less comprehensive than the electronic records they normally keep and as a result, vital pieces of medical information may be missing.
Likely, the hospital is worried about being sued if they say that patient care was affected, so they really have no choice but to say what they did say, even though it is likely less than honest.
The non patient safety issue had ambulances diverted to other hospitals in some cases.
While all of these hospitals CLAIM that patient records were not taken, based on HIPAA regulations, because the attackers may have had access to the patient records that were ultimately encrypted, Health and Human Services considers these events a reportable breach.
Medstar says that they are beginning to bring systems back online. It is unclear if they paid the ransom.
These attacks are serious. Some hospitals may not have effective disaster recovery plans and the attackers could move to other, less well prepared organizations such as clinics and doctors.
In addition, the attackers could choose to take copies of patient records and disclose them, adding to the problems.
So far, as far as we know, no patients have died as a result of these attacks, but that is a risk.
Five attacks in less than 30 days is NOT a good trend.
Information for this post came from the Washington Post.