Today national news outlets are reporting a hacking assault on Hollywood Presbyterian Medical Center in California. According to authorities, the hospital was the victim of a cyber-attack on February 5 that locked the hospital out of its computer systems using ransomware to infect their network. The unknown hackers seized control of the hospital’s computer systems and would only give access back if a $17,000 ransom was paid in bitcoins.
The hospital opted to pay the ransom before notifying authorities. In a statement to the Los Angeles Times, hospital CEO Allen Stefanek said, “The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the encryption key. In the best interest of restoring normal operations, we did this.” Stefanek further stated that patient care was never compromised, nor were hospital records. The attack forced the hospital to return to handwritten record-keeping while the systems were unavailable.
Under federal law, potential PHI breaches involving more than 500 people are required to be reported to the Department of Health & Human Services – Office for Civil Rights (“OCR”). OCR is responsible for enforcing HIPAA Privacy and Security Rules (45 C.F.R Parts 160 164, Subparts A, C and E) and carries out this responsibility by investigating complaints. In this case, the hospital reported the hack to the Los Angeles Police Department and the FBI. As of now, the FBI has taken control of the hacking investigation however, because this hack potentially exposed electronic PHI, OCR is more than likely to respond to this incident.
Recent hacks to healthcare organizations have been highly sophisticated attacks on information technology systems to gain access to electronic PHI for social security numbers, dates of birth, addresses and phone numbers in order to steal patient identity for financial gain. The attack on Hollywood Presbyterian Medical Center is unusual in that it is perhaps the first reported ransomware attack on a hospital system. As evidenced by breaches reported in 2015, healthcare providers are proving to be both easy and data-rich targets for hackers. While some breaches were massive, such as those for BCBS, Anthem, and Premera, smaller organizations such as physician groups, pharmacies, and labs are equally at risk for a ransomware attack or a hack for electronic PHI. Outdated technology, insecure network-enabled devices, complex data systems with multiple points of entry, and an overall lack of information security procedures and processes are making health systems particularly vulnerable to cyber-attacks.
The assault on Hollywood Presbyterian serves as yet another glaring example of the need for constant vigilance of corporate IT systems, particularly in those sectors that maintain data subject to HIPAA and HITECH. Given the potential legal liability for non-compliance, and the increased focus on enforcement seen in the last several years, companies must count data security as among their highest priorities. All healthcare providers should take action to address their HIPAA protocols, perform audits to test for breach vulnerability, and update their response plans to include your organization’s response to a ransomware attack.