Cyberattack on Hollywood hospital exposes vulnerability of digital records

The FBI is investigating a ransomware cyberattack on a hospital in Los Angeles that forced doctors and medical staff to return to old-fashioned records and highlighted the vulnerability of healthcare data to hackers.

Mario Anzuoni/Reuters
The Hollywood Presbyterian Medical Center is pictured in Los Angeles, California Tuesday. The FBI is investigating a cyberattack that has crippled the electronic database at Hollywood Presbyterian Medical Center for days, forcing doctors at the Los Angeles hospital to rely on telephones and fax machines to relay patient information.

A cyberattack on a hospital in Hollywood shows how vulnerable doctors and patients have become as health care data is transferred to the national Electronic Health Records system.

The Federal Bureau of Investigation is still investigating the cause of a cyberattack that crippled the patient data electronic database at the Hollywood Presbyterian Medical Center and forced patients and staff to relay chart information by telephone, fax machine, and old-fashioned doctor shorthand.

"It's right there on paper, but it may not be legible," Rangasamy Ramanathan, a specialist who works with the hospital told Reuters. "The only problem is doctors' writing."

Cyberattacks on health care facilities can have much deeper implications for patients than long wait times, however, even for those who had no contact with the hospital during or immediately after the attack, as the Monitor's Passcode correspondent Jaikumar Vijayan wrote following the massive hack into the Premera Blue Cross computer system exposing data of millions of Americans:

While hackers who break into banks can get away with millions of credit card numbers, increasingly hackers are targeting healthcare networks for repositories of names, Social Security numbers, birth dates, bank account information, claims information, and clinical data....

Not only is this information being traded on the black market for people to commit identity theft, it's also being used to obtain prescription drugs and commit insurance fraud. For the individuals whose identities are used to perpetrate these crimes, their own medical treatments may be impacted, their health insurance disrupted, and their credit scores lowered.

Medical identity theft impacted an estimated 2.3 million in 2014, a 21 percent increase from 2013, and cost victims an average of $13,500, according to the Ponemon Institute, a security and privacy research organization.

In the case Hollywood hospital attack, the hackers used a malware called ransomware, meaning they encrypted the hospital's data and demanded 9,000 bitcoins – about $3 million – to return it, MIT Technology Review reported. The hospital's electronic data system has been turned off for almost a week since, and the hospital president and chief executive officer Allen Stefanek declared an internal emergency because of the information technology problems caused by the hack. 

The transfer of all medical record to the the Electronic Health Records system has created an opportunity that hackers are proving eager to exploit, for despite holding more personal data than either retailers or banks, hospitals and insurance companies have so far been slower to protect it, Mr. Vijayan previously reported for Passcode.

“When you look at any crime, it requires motive and opportunity," Rob Sadowski, director of technology solutions at RSA, the security arm of EMC Corp, told Vijayan.

This report contains information from Reuters.

[Editor’s note: The original version of this story misspelled the name of RSA's Rob Sadowski. In an update, the Hollywood Presbyterian Medical Center paid about $17,000 to the hackers to retrieve its data on Thursday.]

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.