Ransomware attacks: Hospitals need to weigh bottom line--or just take some basic steps

The growing concern with ransomware attacks at hospitals is provisionally a healthcare IT problem, but as the number of such attacks grows, it will quickly become a financial one as well.

Just a single ransom sum has been disclosed: Hollywood Presbyterian Medical Center in Los Angeles paid the equivalent of about $17,000 in bitcoin to free up its computer systems last month.

That may not have been a wise move: Steve King, chief operating officer with Netswitch Technology Management, a Northern California consulting firm that focuses on healthcare IT and security issues, told me last month that paying ransoms would set a precedent that would embolden hackers looking for paydays.

"The more they comply with these ransom demands, the more frequently we're going to get these kinds of attacks," King told me. He suggested it might be preferable for some hospitals to simply replace their existing IT systems than succumb to ransoms.

Indeed, the number of attacks has grown. Chino Valley Medical Center and Desert Valley Hospital in Victorville in Southern California and Methodist Hospital in Henderson, Kentucky, have disclosed in recent days they were attacked by ransomware. MedStar in the District of Columbia may have also been attacked. In the first three cases, the organizations apparently did not pay ransom. None of those hospitals have disclosed if their IT systems have returned to normal, and if so, what steps they took to do so.

I've been writing about healthcare IT security frequently for years. Occasionally system breaches are linked to a careless or dishonest employees. But what can only be described as errors of omission are behind many of them. Sometimes it can be as simple as an employee leaving leaving a laptop in his or her car that then is stolen. Or sometimes it involves the mysterious disappearance of a memory stick from an imaging machine. Encryption of those devices literally takes a minute or two and often costs nothing, but many times it simply doesn't occur. In the executive suites of many hospitals, a breach continues to be something that happens to other hospitals.

The 17 grand that Hollywood Presbyterian ponied up doesn't sound like much--some hospitals probably charges that much for certain emergency room treatments. But imagine if a hospital's entire EMR system is held hostage, a legacy unit that cost $10 or $15 million million to install and another $750,000 a year to maintain. Would a hospital be willing to pay $1 or $2 million or even $5 million to get it back rather than scrapping it altogether? Would the bottom line dictate that decision. What might happen to its patient records if they're not backed up? And would the ransomware hackers be willing to sell the encryption key to someone else if the hospital decided not to pay?

There's also the Internet of Things--medical devices that have an Internet connection and therefore can be accessed by outsiders. King suggested there is a remote possibility that hackers could capture equipment in an operating room and hold the life on an anesthetized patient in the palm of their hands, essentially cutting out any deliberate decision-making on the executive level. However, he did note that this is more along the realm of a terrorist attack and not hackers looking to make a few bucks.

It's cheaper and a lot less worrying to fully encrypt every IT system and simply order all employees to not click on links in any suspicious emails (many pieces of malware embed themselves into computer systems in this manner). But I suspect that many hospitals are going to have to experience a very expensive lesson before those measures become universal.–Ron (@FierceHealth)