Several news media outlets are reporting a recent cyber-attack assault on Hollywood Presbyterian Medical Center in Los Angeles, California. According to authorities, the hospital was the victim of a cyber-attack on February 5 that locked the hospital out of its computer systems using ransomware to infect their network. According to reports in this case, the unknown hackers seized control of the hospital’s computer systems and demanded payment of 40 bitcoin, the equivalent of about $17,000 in ransom to obtain the decryption key.
This attack is unusual in that it is perhaps the first reported ransomware attack on a hospital system. It would appear that large hospital systems as well as smaller organizations such as physician groups, pharmacies, and labs are all at risk for a ransomware attack or a hack for electronic Protected Health Information (PHI).
Ransomware is a type of malware that restricts access to the infected computer system, and demands that the rightful users pay a ransom to remove the restriction. Some forms of ransomware systematically encrypt files on the system’s hard drive, which become difficult or impossible to decrypt without the encryption key that the attackers hold, while some may simply lock the system and display messages intended to coax the user into paying. Ransomware typically propagates as a trojan, whose payload is disguised as a seemingly legitimate file. The Los Angeles Times is reporting that the hospital opted to pay the ransom before notifying authorities. In a statement to the Los Angeles Times, hospital CEO Allen Stefanek said, “The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the encryption key. In the best interest of restoring normal operations, we did this.” Stefanek further stated that patient care was never compromised, nor were hospital records. While access to the system was denied the hospital went back to handwritten record-keeping and non-electronic forms of communication.
Under federal law, potential Protected Health Information (PHI) breaches involving more than 500 people are required to be reported to the Department of Health & Human Services – Office for Civil Rights (“OCR”). OCR is responsible for enforcing HIPAA Privacy and Security Rules (45 C.F.R Parts 160 164, Subparts A, C and E) and carries out this responsibility by investigating complaints. In this case, the hospital reported the intrusion to the Los Angeles Police Department and the FBI. While not known now, depending on the potential exposure of electronic PHI, there maybe further fallout from OCR.
Past breaches of PHI have been highly sophisticated attacks on information technology systems, primarily health insurance companies to gain access to electronic PHI for social security numbers, dates of birth, addresses and phone numbers in order to steal patient identity for financial gain. This attack on Hollywood Presbyterian Medical Center serves as yet another example of the need for constant vigilance of corporate IT systems, particularly in those sectors that maintain data subject to HIPAA and HITECH. Given the potential legal liability for non-compliance, and the increased focus on enforcement seen in the last several years, data security has become of greater cost and focus to health systems. More will need to be learned regarding the details of this attack. In the meantime, healthcare systems and healthcare providers must remain vigilant to review and update HIPAA protocols, perform self audits to test for breach vulnerability, and now include your organization’s response to a ransomware attack into those protocols.
If you have any questions, please contact any of the Shareholders in our Health Care Group for further information.