Computer systems at the almost 100 year old Hollywood Presbyterian Medical Center in Los Angeles were down for over a week due to being hacked.
The story started about ten days ago when users at the teaching hospital associated USC began having problems accessing the electronic health record system at the Hospital. They could not access some patient records and email.
In fact, some patients had to be transported to other hospitals because the computer based equipment at HPMC was down. The pharmacy was down. And some 911 patients had to be diverted to other hospitals.
The hospital had to rely on fax machines and phones and when patients were admitted to the hospital, the admissions people had to fill out paper forms.
What had happened was that the hospital had been hacked by a hacker using ransomware – software that encrypts key files and then demands a ransom to decrypt the files. Initial reports were that the hackers were asking for over $3 million. In the end, it turns out that they only wanted $17,000.
While the hospital had involved the LAPD and the FBI, all they could do was try and find the hackers – who were not in the United States.
The hospital, apparently, did not have an effective business continuity plan in case of an attack. I suspect that they may be working on one right now.
After over a week of being down, the hospital agreed to the ransom and received the decryption keys.
The hospital’s CEO, Alan Stefanek, said that it was a business decision. After being down for 10 days and not having an effective disaster recovery plan or business continuity plan, the hospital had no other choice other than to pay the hacker, in Bitcoins. (Note: this is my translation of what he actually said; read the press release for his actual words).
In a press release, the hospital said that the incident did not affect the delivery and quality of excellent patient care you expect and receive from HPMC. If by that the CEO meant that they sent people to other hospitals to get that excellent care, then I guess you could say that he is correct.
The number of cases of ransomware is exploding because most individuals and many businesses do not either any or a tested disaster recovery and business continuity plan.
Forbes is reporting that one strain of ransomware, Locky, is infecting 90,000 machines a day. If hackers ask for just $500 a machine and everyone pays up, that would net the hackers about $16 billion a year. If even a quarter of the people pay up that would still generate $4 billion a year and that is only one strain of ransomware.
HPMC claims the hackers did not access patient records and did not modify them. Maybe in this case that is true. Maybe not. But certainly if the hackers were able to encrypt the files, they certainly could have transmitted either the encrypted or unencrypted versions of those files to Minsk, Kiev or wherever they are located.
It is clear that a ransomware attack is something that companies especially need to prepare for. What would happen to your company if your computer systems were down for 10 days? In the past there have been some ransomware attacks where either the hacker did not provide a key after the ransom was paid or due to a bug in the encryption software, the hackers were unable to decrypt the files. What would your company do in that circumstance?