California Hospital Hacks Reveal Weak Links In Health Cybersecurity

For 10 days in February, the staff at Hollywood Presbyterian Medical Center had to treat patients the old fashioned way with pen-and-paper forms, faxes and hand-delivered X-rays. Gone were many of the data-reliant, high-tech tools that have transformed medical care, according to local media reports.

The Los Angeles hospital had fallen victim to a ransomware attack – increasingly common network break-ins that encrypt all information in their path. When hospital computer systems freeze, the hackers offer to reverse the encryption in exchange for cash.

“It’s like if someone broke into your house and changed the locks on your doors and said, ‘If you give me money, I’ll give you the new key and everything will be just where you left it,’ ” said John Klassen, senior director of solutions marketing at Bay Area cybersecurity firm FireEye.

Cybercriminals have targeted hospitals with growing frequency in recent years, identifying the millions of recently digitized patient files as a treasure trove of unguarded information. Hospitals have historically been vulnerable to security breaches due to their reliance on expensive, aging medical equipment, their inability to halt patient care to perform time-consuming software updates, and a workflow that depends on the constant input and accessing of data on different devices. Those complications, combined with the high black market value of medical records, makes such facilities prime targets for a growing number of sophisticated criminals.

Breaches at hospitals, insurance companies and other health care-related businesses have been climbing in California in recent years, with 30 incidents reported in 2015, up from eight in 2009, according to the U.S. Department of Health and Human Services. Nationally, about 1,500 data breaches have been reported in health care settings since 2009.

Last year, the Ponemon Institute, a privacy and security research group, found that about half of health organizations are attacked by hackers one or more times in any given 12-month period.

“(Hospitals) are in a tricky situation,” said Lysa Myers, security researcher at software company Eset. “There are ways in which they’re behind the curve in terms of securing information, but they also have it harder. At a bank you’re not really sharing people’s information. At a hospital it’s important to be able to share information quickly and safely. That’s not the same as getting it and locking it up.”

In October, Gov. Jerry Brown signed legislation requiring hospitals to properly encrypt patient information and notify all affected patients when a breach occurs. The California Department of Public Health can fine hospitals $25,000 for each person’s information breach if they’ve failed to prevent unauthorized access to data.

In Sacramento, the UC Davis Medical Center and the Sutter Medical Foundation have both suffered data breaches in recent years, each affecting between 1,300 and 2,300 patients. Representatives from both organizations said patient files were not compromised.

“UC Davis Health System has ongoing, multiple defensive layers to continuously prevent, identify and contain cyberattacks at the system and end-user levels,” said interim Chief Information Officer John Cook in an email. “These include multiple network, system and data safeguards (firewalls, encryption, intrusion prevention systems, etc.) to detect, prevent and mitigate the effects of an attack.”

At Hollywood Presbyterian, all attempts to bring systems back online failed. Finally, the hospital paid $17,000 in the form of 40 bitcoins – an anonymous digital currency commonly used for laundering, illicit drug purchases and cyberterrorism – to regain access to its records.

Just weeks later, two Prime Healthcare hospitals in the Los Angeles area also had their data taken hostage. In both cases, hospital officials shut down the cyberattacks and regained access to their data without paying ransom. Media reports indicated patients at Hollywood Presbyterian had to wait hours longer for care and suffer other inconveniences.

“The staff at the impacted hospitals switched to the backup paper record system for a period while the situation was being analyzed and controlled,” said Prime Healthcare spokeswoman Elizabeth Nikels in an email. “We were able to successfully contain the disruption after a short period and no patients were ever turned away from receiving care.”

In addition to ransomware attacks, hospitals are also vulnerable to “back door” hacks. While people launching ransomware attacks don’t necessarily use the compromised data, back door hackers seek out the most valuable information a hospital has on file – usually patient medical records – and transfer it to their own computers to sell to people committing medical-identity fraud.

If hackers make their way into main data caches, they can steal millions of patient records at a time and sell them to people seeking to illegally get medication or undergo medical procedures under another identity, Myers said. Such a breach occurred at the UCLA Health System in July, compromising 4.5 million patient records. At least two patients filed lawsuits seeking class-action status against the system.

“You think about credit card info as the holy grail, but you can cancel a credit card,” Myers said. “You can’t cancel medical records and start over. They’re with someone their entire life. … Once it’s out of the hospital’s control, it’s really out of their control. There’s nothing you can do to put the toothpaste back in the tube.”

Hospitals and health insurance companies are particularly at risk of cyberattack because of the unique nature of their operations.

Many hospitals use decades-old specialized medical equipment that aren’t equipped with security software, experts said. Hackers often target vulnerable machines as entry points to access other information in the network. Shutting breached devices down can stop the malware in its tracks, but it isn’t always an option considering the constant need to provide care.

“A lot of these devices weren’t designed to be secured,” Klassen said. “Hospitals are not going to shut down a medical device or put things on hold until they know it’s safe to proceed.”

Doctors also often computer-jump, work in multiple departments and have different levels of security privilege on several devices. That means a cyberattack can spread quickly after someone opens a suspicious link, PDF or Microsoft Word document from an email, and inadvertently releases malicious programs that run code quietly and imperceptibly behind the browser.

“They have a larger attack surface,” Klassen said of hospitals. “They’re more exposed.”

Such facilities also operate on a 24/7 schedule, which means hospitals can’t usually go without computers during the hours or even days it takes to install system updates and encryption programs that hide patient data.

“Because the provider doesn’t want to take the application offline – stop the presses for a few hours – they don’t do it, and that’s a vulnerability,” Klassen said.

To prevent ransomware attacks, hospitals must have all of their information backed up on a separate network so they can wipe clean the system they’ve been locked out of and start fresh. Increasingly, hospitals are hiring additional technical staff members and seeking alternative storage solutions, such as off-site “cloud” servers.

“Lately there’s been a big emphasis, with the implementation of the electronic medical record, on patient records and how to protect information,” said Cheri Hummel, vice president of emergency management and facilities for the California Hospital Association. “It’s a very challenging process and an ever-changing process. (Hospitals) need to be vigilant about updating their system, backing up their data and learning how to maintain care at their facilities in the event their systems are shut down.”