In today’s installment of “straight out of Hollywood” (literally and figuratively), a Los Angeles hospital was nearly crippled by a ransomware attack on its network. Hollywood Presbyterian had to revert to paper medical records and registration for admitted cases, while emergency room patients were actually diverted to other hospitals, potentially causing life-threatening delays in trauma treatment.
What’s so horrible about a little computer glitch that would keep a hospital from treating a critically ill patient? Everything.
Ransomware, as the name implies, is malicious software that infects a network and roots around, often disabling critical systems and bringing business to a halt. In exchange for meeting the hacker’s demands, a clean-up option is offered in order to restore network function. In this hospital’s case, the details are murky while the FBI still investigates, but some reports uncovered by ArsTechnica claimed that the hospital’s computers were shut down for nearly a week and that the ransom amount was around 9,000 bitcoin, or slightly under $4 million.
This type of crime creates great plot points in a cyberthriller, but it’s not so entertaining when it’s your loved one’s life on the line. Unfortunately, there are often two culprits in any kind of ransomware attack, the hacker and the business itself. Hospitals are just one business entity that are notorious for running the bare minimum in security and paying dearly as a result, as evidenced by the growing problem of data breaches that affect medical centers. Too often, hospital technology is outdated as well; you can’t exactly shut down a hospital for a month while you install all new computers and servers and have training on the new system for all of the staff.
Sadly, this is a trend that may continue, or even grow, due to the inherent policing of the medical industry. As AT points out, hospitals may be more likely to pay the ransom (as opposed to ditching the network and buying new computers, like a different business might) because they can face crippling fines for violating patient confidentiality. If a hacker accesses patient information and threatens to unleash it online, the hospital will be left accountable to the government. Paying the ransom (and thereby reinforcing this crime) may be the cheaper option.