Recently, a hospital in Los Angeles had to pay $17,000, or 40 bitcoins, during a cyber attack when hackers installed malware and held hospital medical records ransom. For a short period of time hospital staff at Hollywood Presbyterian Medical Center had no access to their patient’s medical history, medications, and test results. For over a week the hospital staff maintained medical records with pen and paper in a hospital system designed around digital records.
The attack is part of a growing trend in a health care system that increasingly relies on technology without maintaining safety measures. Since 2010 at least 158 healthcare organizations, including hospitals, insurers, and medical providers, have been hacked or experienced technology issues that compromised patient safety. Just earlier last month the Titus Regional Medical Center in Texas was also hacked and paid a ransom to release medical records. Last July, hackers gained access to 4.5 million patient medical records in the UCLA Health System’s networks.
Hackers gain access to hospital files through malware that can be installed when staff clicks on a phony Internet ad (among a variety of other ways). The computers still work and the staff can still see all the patient files, but when anyone attempts to access a file, a message appears with a ransom note and a deadline.
These hacks hurt everyone in the health care industry. Patients undergoing treatments in hospitals that have been hacked may experience problems with the functionality of life-saving medical technological devices (like heart monitors), or may suffer from errors in communication or medication management when doctors switch from digital to hand-written records.
But patients not currently in the hospital are also at risk. Any patient who has even been treated at the hospital or had family treated at the hospital is at risk for their personal health histories becoming public. Unlike other types of hacked personal data, such as credit card information, you can’t change your health. Hackers will have information about medication and medical equipment needs that will stay with a person for life.
The most important entity in these attacks are the hospitals and other health care institutions themselves. Hackers know that hospitals will pay high ransoms to regain basic patient information health care professional need to keep their patients alive. The hacked 434-bed Hollywood hospital paid the exact ransom, as did the Texas hospital. Experian’s 2015 Data Breach Report estimated that data breaches could cost the health care industry as much as $5.6 billion each year, or $2.1 million per hospital.
Experts expect the next focus of these ‘ransomware’ attacks to come against wearables and other personal medical devices.
Bob Hertzberg, a California Senator, has proposed legislation that would make ransomware attacks equal to extortion, making the crime a felony that could result in four years of prison. But many more security measures will need to be in place before patients can rest easy.