Hackers show it’s easy to take a hospital hostage

Hospital Safety Insider, April 21, 2016

Want to receive articles like this one in your inbox? Subscribe to Hospital Safety Insider!

Hospitals work very hard and spend a lot of money to keep their facilities secure, and that includes making sure the computer systems that keep things running and contain patient information are safe.

Sometimes, though, this preparation isn't enough. Take Hollywood Presbyterian Hospital: On February 5, an unknown hacker was able to virtually hold the hospital hostage, seizing control of its computer system and forcing the administration to pay a ransom to regain control.

Such an act is apparently easier than one would think. The computerized assault on Hollywood Presbyterian occurred when hackers used malware known as ­ransomware to infect the hospital's computers, preventing staff from communicating using the affected devices, according to a February 18 report in the Los Angeles Times. The disruption caused some patients to be transferred to other hospitals, postponed some procedures such as CT scans, and affected some patients' medical records from being accessed, according to an NPR report.

The hacker, who still remains anonymous, originally demanded $3.4 million to restore the computer system. After almost 10 days of offline computers, the hospital paid a negotiated ransom of about $17,000 to get access back. The ransom was paid in the form of 40 bitcoins, an electronic currency that is largely anonymous, making it almost impossible to track the person who receives the money.

In many cases, preventing hackers from gaining access to crucial patient information and computers that could control critical facility infrastructure from security locks to HVAC systems is not rocket science, and there are many IT security firms out there dedicated to helping protect healthcare facilities. The key is to do something, not expect to handle it all yourself, and constantly upgrade your IT security capabilities, because as the ransomware situation shows, the threat is evolving almost on a daily basis.

Continuously upgrade security software
. So you bit the bullet and decided to spend $79.99 to install Norton Antivirus on the nursing department's computers to help guard against online threats? That's a start, but it's not going to be enough. Smith says that in 2015, 200,000 pieces of malware were being created every day. That's far more than the average computer security software can keep up with, and it's why you shouldn't try to face the problem alone. A dedicated IT professional should be able to upgrade your facility's servers and computer devices with the latest antivirus software. Software vulnerabilities, such as misconfigurations and failure to update applications such as Internet browsers with the latest security upgrades, can lead to ransomware exploiting your system's weak spots. Outside software should have the latest security upgrades, and any in-house software should be tested for loopholes that could affect security.

Train your employees.
Hackers, and the software they use, take the path of least resistance when trying to find their way into your computers. That's usually the human element. "Hackers are smart, and they know how to social engineer people," says Smith.

Think about it. How many of your staff members check their personal emails, go on Facebook, or do a little harmless browsing if they have any free time? All it takes is for them to click on a malicious link on an insecure website, or open an email attachment from a sender they don't know, and their computer could be infected with a virus or ransomware that could make their way through your hospital's network.

In addition, staff should be trained to never give away or share their passwords, and passwords should be changed on a regular basis. Staff should also avoid setting up shared or default profiles that work around security measures.

Restrict access. Not every employee in your hospital needs to have access to the same information-nor should they. Remember that the more people who have access to files, computers, software programs, or hard drives, the higher the risk that a malicious program will find its way into your computer system.

Consider cloud backup.
What would your hospital do if it lost all the patient data, security information, SDS information, survey records, and other information crucial to keeping the facility and its patients safe? Well, it wouldn't be able to remain in business, but you can add network mitigation costs, network countermeasures, loss of productivity, legal fees, costs for IT services, and the purchase of credit monitoring services for employees or customers to the list too, according to the FBI's Internet Crime Complaint Center.

Some cybersecurity firms recommend that hospitals consider using a service network that will automatically upload all crucial information to the cloud. This way, if there ever is a loss of data, not just from a hacker, but also other incidents, such as major power loss, that information will be retrievable from a reasonably recent point in the near past.

This is an excerpt from the monthly healthcare safety resource Briefings on Hospital Safety. Subscribers can read the rest of the article here. Non-subscribers can find out more about the journal, its benefits, and how to subscribe by clicking here.

Want to receive articles like this one in your inbox? Subscribe to Hospital Safety Insider!

    Hospital Safety Center
  • Hospital Safety Center

    Improve compliance with hospital safety standards from The Joint Commission, OSHA, and other regulators with this...

  • Healthcare Life Safety Compliance

    Created exclusively for healthcare facility managers, plant operations professionals, and directors of engineering, this...

  • Hospital Safety Insider

    Stay on top of hospital safety requirements and best practices with our free, fast-paced weekly update.

  • Basic OSHA Compliance Manual Kit

    Total compliance has never been easier. This one convenient package contains everything you need to ensure your outpatient...

  • Basic Dental OSHA Compliance Manual Kit

    Total compliance has never been easier. This one convenient package contains everything you need to ensure your dental...

Most Popular