In a chain of events that should be a wake-up call to any entity using and storing critical health information (and indeed, ANY kind of critical information), Hollywood Presbyterian Medical Center (“HPMC”) has announced that it paid hackers $17,000 to end a ransomware attack on the hospital’s computer systems. On February 5, HPMC fell victim to an attack that locked access to the medical center’s electronic medical record (“EMR”) system and blocked the electronic exchange of patient information. Earlier reports indicated that the hackers had originally demanded $3,400,000.Such “ransomware” attacks are caused by computer viruses that wall off or encrypt data to prevent user access. Hackers hold the data ransom, demanding payment for the decryption key necessary to unlock the data. The attacks are often caused by email phishing scams. The scams may be random or target particular businesses or entities. In the case of HPMC, the medical center’s president and CEO indicated to media outlets that the attack was random, though Brian Barrett, writing for Wired, questioned that assertion.The medical center’s announcement of the resolution of the incident indicates that there is no evidence that patient or employee information was accessed by the hackers as part of the attack. Even if the data was not compromised, the attack led to enormous hassles at the hospital, returning it to a pre-electronic record-keeping system.
We have seen many variations of the ransomware attacks on the increase lately. Cryptolocker and Cryptowall are the two most prevalent threats, but a Forbes article about the HPMC attack revealed that HPMC was victimized by a variant called “Locky,” which, according to the Forbes article, is infecting about 90,000 machines a day.
Details of the HPMC Incident
On February 2, 2016, three days before the HPMC attack, the Department of Health & Human Services Office for Civil Rights (“OCR”) announced the launch of its new Cyber-Awareness Initiative. That announcement included information on ransomware attacks and prevention strategies. Suggested prevention strategies from OCR included:
- Backing up data onto segmented networks or external devices and making sure backups are current. That protects you from data loss of any kind, whether caused by ransomware, flood, fire, loss, etc. If your system is adequately backed up, you may not need to pay ransom to get your data unlocked.
- Don’t be the low-hanging fruit: Ensuring software patches and anti-virus are current and updated will certainly help. Many attacks rely on exploiting security bugs that already have available fixes.
- Installing pop-up blockers and ad-blocking software.
- Implementing browser filters and smart email practices.
Most of these prevention strategies are HIPAA security and overall general business security measures that ought to be in place for companies across the board. As OCR and the FBI (see below) both indicate, smart email practices and training the workforce on them are key elements to preventing phishing scams. If you are a HIPAA-covered entity, you should be checking in with Mintz’s Health Law & Policy Matters blog on a regular basis.
FBI on Ransomware
One of the big questions arising out of the HPMC and other ransomware cases is: do we pay? If your business is about to grind to a halt, you likely have no choice. However, the incident should first be reported to the FBI and discussed with forensics and legal experts who have experience with ransomware in particular. The FBI’s Ransomware information page provides some tips. Ransomware attacks should be part of your incident response plan and the “what do we do” should be discussed at the highest levels of the company.
When in Doubt, Don’t Be a Click Monkey!
Before clicking on a link in an email or opening an attachment, consider contextual clues in the email. The following types of messages should be considered suspicious:
- A shipping confirmation that does not appear to be related to a package you have actually sent or expect to receive.
- A message about a sensitive topic (e.g., taxes, bank accounts, other websites with log-in information) that has multiple parties in the To: or cc: line.
- A bank with whom you do not do business asking you to reset your password.
- A message with an attachment but no text in the body.
All businesses in any sector need to take notice of the HPMC attack and take steps to ensure that they are not the next hostages in a ransomware scheme.