If you haven’t heard about it yet, a hospital in Hollywood, California has been electronically dead in the water for over a week now.
Hackers are holding its medical record systems hostage until they are paid $3.6m (just over 8,500 in bitcoin).
While ransomware is most commonly used to attack home computers and extort money in exchange for a key code, the persistent vulnerability of healthcare and growing boldness of cybercriminals is making for an increasingly high-risk environment for today’s healthcare organizations.
We’ll discuss this issue in more detail, but first allow me to draw your attention to our webinar on Reputation & Risk: Corporate Reputation & Social Media in Healthcare which takes place from midday-3pm EST today (Thursday 18 February).
We will discuss these and other topics including Branding & Social Media, Employment Law, Digital Media and Freedom of Speech, and Cyber Security.
Staff at Hollywood Presbyterian Medical Center in Los Angeles have been left filling out forms by hand and completely unable to perform some procedures, including CT scans.
Their patients have also been left to retrieve and deliver their own medical information to providers and many are being transported to other facilities for treatment.
Patient data, emails, medical charts, imaging documents, and more are completely unavailable until the systems come back online, according to BBC News.
Right now, callers to the hospital are greeted by a voicemail message that informs patients their medical records have not been accessed by hackers.
The hospital has also assured the community that patient care will not be impacted (despite complaints from patients.)
Officials have not yet commented on the ransom, but CEO Allen Stefanek has declared a state of “internal emergency.”
You can be assured that this hospital’s reviews will soon reflect not only their vulnerability to a cyber attack, but also how it’s been handled by staff and administration.
We’re looking at two issues here:
- The risk Hollywood Presbyterian was operating under before the attack.
- How it is handling the situation now.
Not much has been revealed about the details of the attack. We don’t know for sure how it started, the hospital’s history with cyberattacks, or if it had emergency plans in place.
We don’t know whether they had a PR plan (it honestly seems like they didn’t) or whether they had their employees trained to manually look up and enter codes on patient charts and bills.
It appears that local news outlets seem to be the source of most information around the incident.
We can’t tell what’s going on from the outside, but it very much appears as if this was yet another healthcare organization that ignored the reality of the healthcare environment we live and work in.
Cyber security related issues are tremendous concerns for the healthcare sector.
Breaches in healthcare data are more than just IT concerns or PR damage control cases. They undermine patient trust and harm the provider’s goodwill, and consequently, their bottom line.
When asked why hackers would target hospitals, the most common answer was ‘they are easy targets.’
Hospitals in general, but community hospitals mostly, are grossly underinvested in security and the hackers can get access to health information, insurance and financial information, which has a high resale value.
Even as healthcare organizations ramp up their technology to manage risks, there’s only so much that sophisticated tools and systems can do.
People remain the biggest friend and the biggest foe to patient data security. In today’s digital media environment it’s everyone’s duty to act responsibly and protect healthcare data.
[Editor’s Note 02/18/16: The Hollywood Presbyterian Medical Center ended up paying around $17,000 as a ransom to the hackers.]