Elements of MedStar Health attack mirror ransomware warned about by FBI

The attack paralyzing MedStar Health's computer systems is the result of ransomware, both the Baltimore Sun and CBS Baltimore are reporting.

According to the Sun, which cited two unnamed sources, one of which is a MedStar doctor, hackers are asking for either $1,250 (3 bitcoins) to unlock the encrypted data on each individual computer or $18,500 (45 bitcoins) to unlock all affected computers. CBS Baltimore reported that the FBI identified the attack at MedStar Union Memorial Hospital in Baltimore as ransomware "within hours" of the incident.

What's more, the Sun reports, analysts say the actions taken by hackers in this instance are "almost identical" to actions associated with ransomware known as MSIL/Samas, for which, according to Reuters, the FBI issued an alert March 25, three days before MedStar's troubles began.

Neither the FBI nor MedStar would confirm the nature of the attack to FierceHealthIT.

On Wednesday, MedStar issued a statement saying clinicians had regained the ability to review medical records and submit orders via the electronic health record.

Such a payment to unlock data held hostage is not unprecedented: Hollywood Presbyterian Medical Center in February paid roughly $17,000 (40 bitcoins) to retrieve its information from hackers, with CEO Allen Stefanek calling the decision "the quickest and most efficient way to restore our systems and administrative functions."

Prior to the MedStar attack, Rep. Ted Lieu (D-Calif.) said he may propose a bill that would require providers to let their patients know when a ransomware attack has occurred.

Mike Overly, an information security attorney at Foley & Lardner LLP, told FierceHealthIT, however, that he does not think such a move would help to protect anyone.

"Ransomware isn't designed to access and use healthcare data for unauthorized purposes ... there isn't a data breach, but an inability to access information," Overly said. "Putting consumers on notice that their data wasn't accessible for a period of time is far different from laws requiring notice to consumers when their data has been disclosed to unauthorized individuals. The only benefit of such a law is that it will finally provide everyone with better insight into just how widespread ransomware attacks are."

Currently, Overly said, many attacks go unreported, with small ransoms paid.

Mark Gentry, an information security analyst at Macon, Georgia-based Navicent Health, told FierceHealthIT that such potential legislation would like only serve to create panic, misinformation, confusion and delays.

"Keeping general employees and C-suites informed and vigilant in this fight is one thing," he said in an email. "[The involvement] of clueless politicians … is not going to help IT security professionals fix anything."

To learn more:
- read the Baltimore Sun article
- here's the CBS Baltimore story
- check out the Reuters article