Los Angeles Hospital Pays Ransomware To Recover Systems

Computer systems at the almost 100 year old Hollywood Presbyterian Medical Center  in Los Angeles were down for over a week due to being hacked.

The story started about ten days ago when users at the teaching hospital associated USC began having problems accessing the electronic health record system at the Hospital.  They could not access some patient records and email.

In fact, some patients had to be transported to other hospitals because the computer based equipment at HPMC was down.  The pharmacy was down.  And some 911 patients had to be diverted to other hospitals.

The hospital had to rely on fax machines and phones and when patients were admitted to the hospital, the admissions people had to fill out paper forms.

What had happened was that the hospital had been hacked by a hacker using ransomware – software that encrypts key files and then demands a ransom to decrypt the files.  Initial reports were that the hackers were asking for over $3 million.  In the end, it turns out that they only wanted $17,000.

While the hospital had involved the LAPD and the FBI, all they could do was try and find the hackers – who were not in the United States.

The hospital, apparently, did not have an effective business continuity plan in case of an attack.  I suspect that they may be working on one right now.

After over a week of being down, the hospital agreed to the ransom and received the decryption keys.

The hospital’s CEO, Alan Stefanek, said that it was a business decision.  After being down for 10 days and not having an effective disaster recovery plan or business continuity plan, the hospital had no other choice other than to pay the hacker, in Bitcoins.  (Note: this is my translation of what he actually said;  read the press release for his actual words).

In a press release, the hospital said that the incident did not affect the delivery and quality of excellent patient care you expect and receive from HPMC.  If by that the CEO meant that they sent people to other hospitals to get that excellent care, then I guess you could say that he is correct.

The number of cases of ransomware is exploding because most individuals and many businesses do not either any or a tested disaster recovery and business continuity plan.

Forbes is reporting that one strain of ransomware, Locky, is infecting 90,000 machines a day.  If hackers ask for just $500 a machine and everyone pays up, that would net the hackers about $16 billion a year.  If even a quarter of the people pay up that would still generate $4 billion a year and that is only one strain of ransomware.

HPMC claims the hackers did not access patient records and did not modify them.  Maybe in this case that is true.  Maybe not.  But certainly if the hackers were able to encrypt the files, they certainly could have transmitted either the encrypted or unencrypted versions of those files to Minsk, Kiev or wherever they are located.

It is clear that a ransomware attack is something that companies especially need to prepare for.  What would happen to your company if your computer systems were down for 10 days?  In the past there have been some ransomware attacks where either the hacker did not provide a key after the ransom was paid or due to a bug in the encryption software, the hackers were unable to decrypt the files.  What would your company do in that circumstance?

Information for this post came from CSO Online, CBS, HPMC and Forbes.

2 thoughts on “Los Angeles Hospital Pays Ransomware To Recover Systems”

  1. Mitch…so other than doing daily backups and rehearsing the restoration of data processes…and not clicking on any unknown links in emails…what else can people do to protect themselves from this kind of attack?

    1. There are several things to consider.

      For example, one way ransomware spreads is through users having write access, especially to network drives and even more disastrously, when those are system admins and the network drives are system drives. Soooo, keep write access to an absolute minimum. This means that admins should have separate administrative accounts (with elevated permissions) and that they only use these accounts when performing system maintenance. There should be no email and no web browsing from these accounts – that is an effective deterrent to laziness of “well I will only check email or surf the web this one time and BOOM@!”.

      Another protection mechanism is to completely block network (IP) addresses from countries that your company does not do business in. If you don’t do business in Asia, block the entire continent. Same thing with Africa and so on. While this mechanism is far from perfect, it does block some malicious traffic.

      Adding email security mechanisms like domain keys (DKIM) identified mail is another protection. This is a mechanism that helps validate the sender of an email. An alternative to DKIM is Sender Policy Framework or SPF. Both of these mechanisms help weed out email coming from domains other than where they claim to have come from.

      The idea is to chip away at the bad guys tools for attacking you a little bit at a time. There are other mechanisms, but these are free other than some labor. Contact us if you want help designing these and other deterrents.

Leave a Reply

Your email address will not be published. Required fields are marked *