Southern California Hospitals Field Ransomware Attacks

Less than two weeks ago, Chino Valley Medical Center in Chino and Desert Valley Hospital of Victorville, both part of Prime Healthcare Services Inc., were the latest victims in a recent rash of Southern California hospital ‘ransomware’ data-hack attacks.

Ransomware is a form of malware that encrypts data so users are unable to access it. Once the data on a server has been encrypted, the attacker offers a “key” to unlock the user’s files for a “ransom” or price. Bitcoin is hackers’ preferred currency because it’s digital and much harder to trace.

Says Fred Ortega of Prime Healthcare, "Nothing was paid and no patient or employee data was compromised".

In February, NBC reported a similar attack against Hollywood Presbyterian Medical Center in Los Angeles who paid $17,000 in bitcoin to hackers in order to unlock its electronic health records (EHRs) and other computer software. This incident is one of three hospital-ransomware takeovers in the past six months, pointing to a new trend in hospital cyberattacks.

Cyber security experts say hospitals are particularly vulnerable because some medical equipment runs on older operating systems that cannot be easily safeguarded. If an employee opens an infected ransomware file from a computer that also connects with a patient monitoring station or insulin pump, those devices could also be locked.

"Malvertising and ransomware attacks will reach a fever pitch," Adam Levin, chairman and founder of IDT911 said. "Medical data and business information like intellectual property will be prime targets, with cyber thieves looking for opportunistic financial gain based on black market value, corporate extortion, and cyber terrorism.”

In January, the Interactive Advertising Bureau (IAB) and Ernst & Young issued a joint report estimating the annual cost associated with a triad of fraudulent practices. Headlining the trio: malvertisements.

“Hospitals are about 10 to 15 years behind the banking industry' in combating cyber threats,” said Lysa Myers, a researcher with the computer security firm ESET.

Quietly, many ransomware victims pay, or abandon infected devices. It came as a shock that Hollywood Presbyterian, owned by CHA Medical Center of South Korea, both revealed the attack and publicly disclosed its cost without apparent reservations.

The logic behind whether to pay a ransom can be very simple:

"If you're at a point where you can't do anything,'' said Jason Haddix, the director of technical operations at Bugcrowd information security firm, "sometimes the only option is to pay.''