California hospital pays hackers $17K after ransomware attack

A Los Angeles hospital has paid hackers roughly $17,000 (40 bitcoins) after a ransomware attack left its networks disabled, a move the organization decided was "in the best interest of restoring normal operations."

"The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Hollywood Presbyterian Medical Center CEO Allen Stefanek said in a statement. Stefanek called prior reports that the ransom requested was 9,000 bitcoins ($3.4 million) "false."

The medical center was hit with the attack on Feb. 5, which left employees without access to the electronic health record systems and email for more than a week.

The hospital immediately informed law enforcement about the attack, according to the Associated Press, and by Monday the network was up and running again. "All systems currently in use were cleared of the malware and thoroughly tested," Stefanek said in the statement. "We continue to work with our team of experts to understand more about this event."

Laura Eimiller, FBI spokeswoman, said the agency is investigating the attack, the AP article added.

Ransomware is becoming a rising security concern in healthcare, and Hollywood Presbyterian is not the first healthcare organization to be a victim of ransomware. Last month, Mount Pleasant Texas-based Titus Regional Medical Center's electronic health record system was left inaccessible by such an attack, FierceEMR previously reported.

Ronald Mehring, vice president of technology and security at Dallas-based Texas Health Resources, told FierceHealthIT in an email that the best way to protect against a ransomware attack is to have backups and for providers to know their recovery point objectives and limitations.

Mehring, who serves on FierceHealthIT's Advisory Board, added that organizations should be cognizant about their backup and detection latency, as well as be vigorous in monitoring for file changes in directories and abnormal user behavior.

Temple University Health System Chief Information Security Officer Mitch Parker agreed, adding in an email to FierceHealthIT that health systems "need defense in-depth for anti-malware and anti-virus, good patching and [need to] avoid Java as much as possible."  

"I've seen one of the attack vectors for this, and it was a malformed PDF," Parker said. "These programs get in because of large holes such as Adobe products or Java, and use your access to cause damage."

Hospital systems and networks are not the only entities at risk from ransomware; medical devices and wearables also are vulnerable to such attacks, according to a Forrester Research report.

To learn more:
- check out Stefanek's statement (.pdf)
- here's Associated Press article