Why California hospital paid a $17,000 ransom in bitcoin

After a network security breach at the Hollywood Presbyterian Hospital, hospital CEO Allen Stefanek chose to pay the hacker's $17,000 ransom to restore operations.

The Hollywood hospital that had its electronic patient records hacked and held hostage chose to pay $17,000 in bitcoin to retrieve the ransomed records.

The Hollywood Presbyterian Hospital’s network came under attack on Feb. 5 by hackers who used a type of malicious software called ransomware to encrypt patient records and make them inaccessible to hospital staff.

Hospital CEO Allen Stefanek explained the decision to pay the ransom, writing in a statement that, "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key."

In his Wednesday statement, Stefanek reported that the hospital’s computer network was free from malware and that patient information had not been subject to unauthorized access.

“As many hospital [computer] systems are outdated and the employees are not very knowledgeable about computer security,” professor of computer science at Northeastern University and a co-founder of Lastline, Inc, writes Dr. Engin Kirda in an email to the Monitor, “I think it is highly likely that we'll hear of similar stories in the near future.”

Last February, the Christian Science Monitor reported on the rise of ransomware. According to the Monitor, one variety of ransomware called CryptoWall had collected nearly $2 billion worth of ransoms by early 2015.

The majority of ransomware targets are small. According to Center on Foreign Relations cybersecurity expert Robert Knake, targets range from local police offices to small banks.

The Monitor reported last year that a suburban Chicago police department paid just $500 in ransom to retrieve department files.

According to the Monitor, Dell Secureworks calculated that less than one percent of victims paid ransom, though others say that many companies pay without reporting such incidents.

Adam Kujawa, Head of Malware Intelligence for security software maker Malwarebytes told the Associated Press that although most companies don’t report ransomware incidents, “I know from the experiences I hear about from various industry professionals that it's a pretty common practice to just hand over the cash."

Security experts such as Rahul Kashyap, EVP, Chief Security Architect at computer-security startup Bromium agree that this trend is likely to continue, writing in an email to the Monitor that “this is a whole new cyber world we’re living in.”

Medical data holders such as the Los Angeles hospital are required by federal law to report security breaches if they impact over 500 people. At least 158 such data breaches have been reported since 2010.

One similar hospital hack in 2014 resulted in the compromise of 4.5 million people’s medical records.

Another Northeastern University professor, Dr. Guevera Noubir, told the Monitor in an email interview that ransomware has become more common in recent years due to the development of infrastructure that facilitates anonymous hacking.

“This started a couple of decades ago,” said Dr. Noubir, “but ransomware became more common recently as it exploits privacy infrastructure such as Tor hidden services and crypto-currencies such as bitcoin.”

According to a report by antivirus software creator Symanetc, ransomware attacks in 2013 rose from 100,000 per month to 600,000 a month by the end of the year.

Should organizations like the Hollywood Presbyterian Hospital pay to retrieve their documents?

Mr. Knake says no. “I’ve long been an advocate that it should not be legal to pay ransom,” he said during a phone interview with the Monitor, “I think it drives this criminal market.”

According to Knake, if organizations have taken appropriate precautions and backed up their information sufficiently, ransomware attacks should not be a problem.

Yet, for many patients, a lack of access to medical records could be critical. To them, paying ransom might be worth it, for all that it may encourage hackers. Stefanek’s statement regarding the ransom payment indicates that the hospital chose to offer the money “in the interest of restoring normal operations.”

What else can organizations and individuals do to preserve the security of their information?

Information-security experts agree that the best way to protect information is through adequate preparation and awareness.

According to Noubir, hacks should be handled through, “Better cyber-security education, users awareness, and computer systems with security by design.

“There is no silver bullet,” echoes Dr. Kirda, “User education is part of the game, and having people who know security and who monitor these systems is essential.”

The FBI is currently investigating the Hollywood Presbyterian Hospital case.