Why California hospital paid a $17,000 ransom in bitcoin

After a network security breach at the Hollywood Presbyterian Hospital, hospital CEO Allen Stefanek chose to pay the hacker's $17,000 ransom to restore operations.

Mario Anzuoni/REUTERS
The Hollywood Presbyterian Medical Center is pictured in Los Angeles, California on Tuesday. The FBI is investigating a cyber attack that has crippled the electronic database at Hollywood Presbyterian Medical Center for days, forcing doctors at the Los Angeles hospital to rely on telephones and fax machines to relay patient information.

The Hollywood hospital that had its electronic patient records hacked and held hostage chose to pay $17,000 in bitcoin to retrieve the ransomed records.

The Hollywood Presbyterian Hospital’s network came under attack on Feb. 5 by hackers who used a type of malicious software called ransomware to encrypt patient records and make them inaccessible to hospital staff.

Hospital CEO Allen Stefanek explained the decision to pay the ransom, writing in a statement that, "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key."

In his Wednesday statement, Stefanek reported that the hospital’s computer network was free from malware and that patient information had not been subject to unauthorized access.

“As many hospital [computer] systems are outdated and the employees are not very knowledgeable about computer security,” professor of computer science at Northeastern University and a co-founder of Lastline, Inc, writes Dr. Engin Kirda in an email to the Monitor, “I think it is highly likely that we'll hear of similar stories in the near future.”

Last February, the Christian Science Monitor reported on the rise of ransomware. According to the Monitor, one variety of ransomware called CryptoWall had collected nearly $2 billion worth of ransoms by early 2015.

The majority of ransomware targets are small. According to Center on Foreign Relations cybersecurity expert Robert Knake, targets range from local police offices to small banks.

The Monitor reported last year that a suburban Chicago police department paid just $500 in ransom to retrieve department files.

According to the Monitor, Dell Secureworks calculated that less than one percent of victims paid ransom, though others say that many companies pay without reporting such incidents.

Adam Kujawa, Head of Malware Intelligence for security software maker Malwarebytes told the Associated Press that although most companies don’t report ransomware incidents, “I know from the experiences I hear about from various industry professionals that it's a pretty common practice to just hand over the cash."

Security experts such as Rahul Kashyap, EVP, Chief Security Architect at computer-security startup Bromium agree that this trend is likely to continue, writing in an email to the Monitor that “this is a whole new cyber world we’re living in.”

Medical data holders such as the Los Angeles hospital are required by federal law to report security breaches if they impact over 500 people. At least 158 such data breaches have been reported since 2010.

One similar hospital hack in 2014 resulted in the compromise of 4.5 million people’s medical records.

Another Northeastern University professor, Dr. Guevera Noubir, told the Monitor in an email interview that ransomware has become more common in recent years due to the development of infrastructure that facilitates anonymous hacking.

“This started a couple of decades ago,” said Dr. Noubir, “but ransomware became more common recently as it exploits privacy infrastructure such as Tor hidden services and crypto-currencies such as bitcoin.”

According to a report by antivirus software creator Symanetc, ransomware attacks in 2013 rose from 100,000 per month to 600,000 a month by the end of the year.

Should organizations like the Hollywood Presbyterian Hospital pay to retrieve their documents?

Mr. Knake says no. “I’ve long been an advocate that it should not be legal to pay ransom,” he said during a phone interview with the Monitor, “I think it drives this criminal market.”

According to Knake, if organizations have taken appropriate precautions and backed up their information sufficiently, ransomware attacks should not be a problem.

Yet, for many patients, a lack of access to medical records could be critical. To them, paying ransom might be worth it, for all that it may encourage hackers. Stefanek’s statement regarding the ransom payment indicates that the hospital chose to offer the money “in the interest of restoring normal operations.”

What else can organizations and individuals do to preserve the security of their information?

Information-security experts agree that the best way to protect information is through adequate preparation and awareness.

According to Noubir, hacks should be handled through, “Better cyber-security education, users awareness, and computer systems with security by design.

“There is no silver bullet,” echoes Dr. Kirda, “User education is part of the game, and having people who know security and who monitor these systems is essential.”

The FBI is currently investigating the Hollywood Presbyterian Hospital case.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Why California hospital paid a $17,000 ransom in bitcoin
Read this article in
QR Code to Subscription page
Start your subscription today