February 20, 2016 | 5 Min. Read

Internal Emergency – Hackers Held a Hollywood Hospital Ransom for 10 Days

Were Hollywood Hospital Hackers After More Than Just a $17k Payout?

Wes Wineberg, Senior Security Research Engineer at Synack

“In terms of this malware attack and possible attacker motivation, let’s take a hacker perspective on what would have been possible.  I think the following are valid assumptions:

  • The malware had full administrative level control of the medical center’s systems
  • The medical center had little to no network monitoring in place, essentially, they did not see the malware coming until the damage was done

So did the malware authors actually attempt to steal patient data? –  I wouldn’t be at all surprised if they did due to the value of the information, but it is also feasible that the actor was focused solely on extortion for immediate monetary gain. Tracking analysis of the malware actor’s activity could potentially answer this question.

Ransomware malware is typically not focused on hiding itself and covering its tracks, but from a technical perspective, administrative access to a PC is all that’s needed to erase any records of activity on that system. Network monitoring could potentially have caught the activity, but per assumption #2, I doubt the Hollywood hospital had any effective monitoring. Therefore, if the attacker had wanted to, they could have made it very unlikely that a forensic or incident response team could find all the malware activities with any level of certainty.

Is lost data the real issue ? Or that the medical center has been negligent in securing operational systems and confidential data in the first place?”

When talking healthcare and security, we can’t leave out HIPAA privacy. The President/CEO of the medical center declared that patient privacy was NOT compromised — his reasoning — “there is no evidence at this time”. But why would he admit otherwise? HIPAA fines don’t come until a breach of patient privacy has been proven, and doesn’t have to be publicly reported unless over 500 patients are affected, so… DENY DENY DENY, and claim the investigation is ongoing if rumors spread otherwise. Patient care and privacy are supposed to be priorities #1 and #2, but are they?” Optimistic outlook, we’ll see.. (read: I’ll keep an eye on the OCR breach portal..).

Unfortunately, I don’t think this will be the worst of the attacks we will see this year. A 2015 Mandiant Report (Healthcare Breaches- The Next Digital Epidemic) gave Healthcare a grade of “D” in “Security Grades by Industry”. Medical centers and care centers across the country are a prime target of cyber criminals as 43% of breaches target the healthcare space. The significant increase in adoption of EHRs and digital technologies over the past 5-10 years has created a digital “treasure trove” of information including birthdates, social security records, addresses, insurance details, mother’s maiden name, etc., while security solutions and teams in the space have remained only modest obstacles in the way of cyber criminals.

Overview: Healthcare – Prepare for Ransomware, it’s Here to Stay

Oren Yomtov, Security Research Engineer

“Ransomware is on the rise for a simple reason – it has better ROI than other traditional use cases of compromised computers, therefore we should expect to see a growing number of similar headlines in the future. Why would a cybercriminal sell access to a random compromised computer for a fraction of a dollar on the dark web, when he/she can instead possibly earn $200-$10,000 by installing ransomware?”

Forrester Researcher, as part of their 2016 cybersecurity predictions, recently commented on the criticality of healthcare being prone to ransomware attacks.

The Ransomware attack that occurred on February 5th crippled the Hollywood medical center’s computer systems for over a week, finally being remediated on Monday the 15th – an ominous sign of things to come. Only after the hospital forked over 40 Bitcoin, roughly $17,000, in order to obtain the decryption key as reported in an open letter from Allen Stefanek, President & CEO of the medical center, did the hospital restore computer system and Electronic Medical Record operations (Initial reports suggested that the attackers were demanding up to 9000 Bitcoin / $3.6 Million).

The attack caused full computer shutdowns, blocked access to Electronic Medical Records (EMRs) and email, (causing physicians to try and communicate via overloaded fax machines), disruption of some laboratories, imaging facilities and the Radiation and Oncology depts. Yet Stefanek proclaimed that patient care was not affected, despite press reports throughout the week that patients were being re-routed and transported to other facilities as certain critical operations were brought to a halt by the attack.

A $17,000 price tag for now to get operations back up-and-running could be dwarfed by HIPAA fines if patient privacy was indeed compromised, not to mention the resulting brand damage the medical center now faces.

Healthcare organizations need to take a more proactive approach to information and device security, or else they will continue to lose in the battle against hackers fighting to break into and shutdown systems in extortion attempts, exfiltrate confidential data and health information, or compromise connected devices.

Following an eye opening 2015 which highlighted just how vulnerable the healthcare industry is to cyber threats through mass scale breaches (e.g. Anthem, Premera, Excellus, UCLA Health), the FDA release of the draft guidance for “Postmarket Management of Cybersecurity in Medical Devices” two weeks into this year, and now this attack at Hollywood Presbyterian Hospital gaining widespread coverage, cyber security in the healthcare space will clearly be something to keep an eye on this year.



Leave a Reply

Your email address will not be published. Required fields are marked *