Who would have thought that, for healthcare professionals, performing surgery, working long hours and navigating the dense world of U.S. health law would be easier than protecting hospital computer networks? That, however, appears to be the case after yet another hospital was victimized in a cyberattack. It’s just the latest example of a U.S. medical provider on the wrong end of a digital assault made possible by a lack of security measures.
Doctors at Hollywood Presbyterian Medical Center, in southern California, have been suffering serious computer issues for at least a week, the CEO announced Sunday. Doctors have been unable to digitally access patients’ medical records, staff has been communicating via fax machines and patients have reported long delays in receiving care. It’s all the result of a cyberattack carried out by unknown hackers who are demanding 9,000 bitcoins (roughly $3.4 million) to restore the system to normal.
Hollywood Presbyterian’s CEO told NBC, “Patient privacy has not been compromised,” though the attack again highlights the healthcare sector’s inability to prepare for modern security threats. At least part of the problem is a lack of funding, with the U.S. Department of Health and Human Services asking for $262 million in information security funding under the 2016 budget (a 23 percent increase from 2015). That request wasn’t fulfilled in the final budget omnibus bill that passed in December, though the omnibus does require the department to convene a task force to respond to cybersecurity threats.
“Hospitals are a veritable bullseye for hackers,” said Grayson Milbourne, security intelligence director at the cybersecurity company Webroot, which works with a number of hospitals and healthcare companies. Milbourne added that the value of patient records is an irresistible target for cybercriminals. “For starters, [hospitals] run on a tight budget and their IT infrastructure is often a very low priority when compared to affording new medical devices and staff. Medical devices run on a wide variety of operating systems — making patch management and security updates more challenging. This type of landscape can cause the perfect cybersecurity storm.”
Exactly what occurred at Hollywood Presbyterian remains unclear, though both the FBI and Los Angeles Police Department are investigating. The intrusion has been described as a ransomware attack, which is typically defined as an attack that involves a hacker infiltrating a victim’s computer, and encrypting their data until the victim agrees to pay a bitcoin ransom. The hospital denies any patient data has been compromised, but Michael Kaiser, the director of the National Cybersecurity Alliance, says the distinction is irrelevant.
“Typically we’d say the patient data is what’s extremely valuable here,” Kaiser said. “But in this case it could be that they’re looking at the cyber ability of the institution, and they could see the hospital as an example of the type of institution that has no choice but to pay. What I see here is that they don’t seem to have had any plan on what to do.”
Hospitals, more than other professional environments, need to prepare for a cyberattack just as they would prepare for a natural disaster, sudden influx of patients or other emergency situation, Kaiser said. Key management staff, doctors, nurses, IT staff and the hospital’s public relations team should simulate a scenario in which they lose access to digital patient records, for example, and determine how they would continue treating patients.
“What’s the most recent backup of patient data? Where? Is it in the cloud? Does anyone have alternative ways of accessing that data?” Kaiser said. “Those are the kinds of things they have to look at.”
The urgency is growing. One in three Americans had their health records breached in 2015, according to multiple reports released last month. Many of those records were breached as part of the nation-state hacks on health insurers Anthem and Primera, though experts predict hospitals will become more attractive targets as they begin to rely on insulin pumps, intravenous flows and other machines that are connected to the Internet.