Methodist Hospital in Henderson Kentucky. Population 28,000. Methodist made the news this week as the most recent health care institution to fall to a ransomware attack. According to Brian Krebs, the hospital had a scrolling red alert banner on their web site (see below, image from Brian’s web site) saying that they were running on an internal state of emergency due to a computer virus that limited their use of online services.
The attackers were asking for 4 bitcoins (about $1,600) for the encryption key.
After being down for 5 days, the hospital says they are now back online and did not pay the ransom. They also say that no patient data was compromised.
Last month it was Hollywood Presbyterian in Los Angeles; this month Methodist in Kentucky and Chino Valley and Desert Valley in southern California.
While Hollywood Presbyterian paid the ransom, the other 3 said that they did not. All of them said that no patient data was compromised.
Two thoughts here. All of these facilities acknowledged that the attacks caused significant disruption. I assume that at least some of these hospitals will look at their security and disaster recovery mechanisms to see if they can be improved. Four hospitals in 30 days have made the news as having been penetrated by hackers using ransomware attacks. Does that mean that hackers think that health care facilities are soft, easy targets and some percentage will pay up like Hollywood did because their disaster recovery mechanisms are not good enough.
I doubt we would even hear about smaller facilities like doctor’s offices or clinics, so we don’t know how widespread this problem is.
If the attackers are successful, do they raise their prices? $1,600 for a hospital sounds like a small price to pay to get your online services working again.
Second, and maybe a bigger problem is patient data. If the hackers are not being successful, do they start taking copies of the patient data, sending it to Moldovia (or wherever they are) and saying that they will release the data unless the ransom is paid. That malware is probably a little bit harder to write, but I suspect the “conversion rate” – percentage of facilities that pay up – might be a whole lot higher. If you have a ransomware attack but no breach, you might get a visit from the HHS Office of Civil Rights, but maybe not. If you have a ransomware attack with a breach, the odds of a visit from them go up significantly. So does the chance of a lawsuit.
The challenge for the health care industry is that five years ago the predominant patient care tracking mechanism was a paper chart on a clipboard. Not so any more. The velocity is pretty high and the acceleration is even higher. The challenge for all health care providers is how to create a secure environment that does not negatively impact patient care and staff cooperation.
That is not an easy task.