While management at hospitals and other health care providers has long been aware of the need to implement computer security policies to comply with HIPAA’s requirements for protecting sensitive patient information, cybersecurity may have rocketed to the top of management’s priority list in the wake of the recent cyberattack on Hollywood Presbyterian Medical Center (HPMC) that left the hospital unable to access some of its computer systems for ten days.
Beginning on February 5, 2016, HPMC was the victim of a ransomware attack, a type of computer attack in which a computer virus encrypts computer files and thus prevents users from accessing the files until a ransom is paid. In this case, the ransomware attack locked access to certain computer systems, including the hospitals electronic medical record system, and prevented the hospital from sharing communications electronically. According to press reports, the ransomware attack interfered with hospital operations, forcing doctors to communicate by fax, nurses to record information on old-fashioned paper charts, and patients to drive to the hospital to pick up test results in person. HPMC ultimately paid the attackers’ request for 40 bitcoins, equivalent to approximately $17,000, because the hospital believed that doing so was the quickest and most efficient way to restore normal operations. (Earlier press reports had indicated that the perpetrators were demanding 9,000 bitcoins, which is the equivalent of about $3.6 million.)
This incident comes in the wake of similar attacks in January at a regional hospital in Texas and in September 2015 at a hospital in Florida. Other attacks have likely gone unreported, as most current breach notification rules only apply if personal identifying information is exposed, not if the information is rendered inaccessible.
Despite its experience with implementing the HIPAA regulations, the health care industry lags behind the financial services and retail sectors in its preparations to fight growing cyber threats. However, as exemplified by not only the recent ransomware attacks, but also the hundreds of documented attacks on radiology imaging software, payment systems, video conferencing equipment, routers, and firewalls, the threat to information maintained by health care providers is very real. Health care providers should review their existing cybersecurity policies and procedures and take proactive steps to ensure that they are not vulnerable to potential attacks.