Skip to main content

Insufficient Backups, Not Bitcoin, at Fault as Hollywood Hospital’s Data Held Ransom by Hackers

Privacy & security - Insufficient Backups

This is a guest post by Addison James.

In a February 17 letter, Hollywood Presbyterian Medical Center President & CEO Allen Stefanek said, “…the amount of Bitcoins requested was 40 Bitcoins, equivalent to approximately $17,000.” 

This is the number of bitcoins that the HPMC transferred to a hacker or hackers in exchange for the decryption key to the malware locking them out of their IT systems. The hospital’s network was under attack for 11 days (February 5-15 ) before Stefanek paid the ransom. 

While headlines jested about a hospital staff reverting back to pre-1990s procedures when paper and pen were the data medium of the day, a technological regression on this order, when lives are at stake, required a calculation. Stefanek and the hospital had to decide whether people’s lives were worth 40 bitcoins. 

Ultimately, HPMC calculated their losses and liability and paid. This type of Bitcoin-based ransomware has been on the rise since 2013 when it is estimated that more than 200 malware programs were being released every minute of that year. 

Initially, there was CryptoLocker, the ransomware that demanded about $300 in bitcoins from the personal computer user before wiping their hard drives. In early 2015, security companies McAfee and Symantec warned of the CTB-Locker (Curve Tor Bitcoin Locker). This elliptical curve encryption ransomware, spread through spam campaigns, locks users out of their files. Paying a Bitcoin ransom is the only way to retrieve the 3,072-bit key. 

As of January 2016, hackers have been deploying ransomware against websites to shake them down as well. Reports estimate that malware-as-service is now becoming one of the fastest growing trades on the darknet markets. The FBI assumes that there are around 200 hackers responsible for the current malware fiasco. 

As more attacks are launched against personal computer users, websites, and even hospitals, the numbers of Bitcoin related ransomware attacks that are paid will increase, with the HPMC serving as a example for other hackers.

The comparatively paltry sum of 40 bitcoins recently ransomed from HPMC represents a new iteration in the morphing nature of ransomware targets: soft targets that have excellent insurance and will be inoperable without access to their data. 

By asking for a reasonable sum, the hackers are forcing the victims to pay the ransom and write off the cost as an operation expense. Stefanek explains in the letter, “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.” 

A move like this can create potential liabilities in the future for HPMC because targets that pay the ransom are often retargeted, but it was imperative that the hospital have its EMR (Electronic Medical Record) service operable. 

The simplest solution to the problem is that systems, sites and files should all be backed up in secure locations offline as a fail safe against attack. Such services exist, but individuals and organizations typically don't think to use them until an attack already has occurred. 

Some believe entities such as hospitals should be required by law to be more responsible with patient data. 

Similar security weaknesses were exposed following the hack of Target’s TGT security and payments system in 2013. After that hack, consumers became aware of how lackadaisical the retail giant had been with their customer’s data. Increased Bitcoin ransomware attacks could result in resiliency in the area of Bitcoin’s “untraceability” and of private data management systems.