Hospital explains decision to pay ransom to hackers

Daily News Article   —   Posted on February 19, 2016

(by Richard Winton, CBS News) LOS ANGELES — The CEO of Hollywood Presbyterian Medical Center says the hospital decided to pay ransom to hackers who were holding its computer network hostage because that was the “quickest and most efficient way” to regain control of the system.

The hospital paid the ransom using the digital currency bitcoins, in an amount worth about $17,000, after falling victim to what’s commonly called “ransomware” – where hackers seize control of a computer system and threaten to misuse or destroy data if they’re not paid. In this case, the hackers encrypted the hospital’s data and demanded payment in exchange for a digital key to unlock it.

CEO Allen Stefanek issued a statement about the incident, saying: “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

Stefanek said the infiltration at Hollywood Presbyterian was first noticed on Feb. 5, and that its system was fully functioning again by Monday, 10 days later.

Some security experts were surprised that the hospital went public.

“Unfortunately, a lot of companies don’t tell anybody if they had fallen victim to ransomware and especially if they have paid the criminals,” said Adam Kujawa, Head of Malware Intelligence for Malwarebytes, a San Jose-based company that recently released anti-ransomware software. “I know from the experiences I hear about from various industry professionals that it’s a pretty common practice to just hand over the cash.”

The hospital did not say whether anyone in law enforcement or the technology industry had recommended it pay off the hackers, and it quickly obtained the digital key used to be able to access its data again.

Computer security experts normally recommend people not pay the ransom, though at times law enforcement agencies suggest they do, Kujawa said.

The FBI said it is investigating the ransomware attack, but provided no details beyond that.

CBS News correspondent Carter Evans reports that according to a source familiar with the investigation, the hospital paid the ransom before contacting law enforcement.

“If they decided to pay the ransom, it probably means that they didn’t have very good backups, they weren’t able to recover the data, and that the data would have been lost if they didn’t pay the ransom,” Dave Kennedy, CEO of the information security firm TrustedSec, told CBS News.

Neither law enforcement nor the hospital gave any indication of who might have been behind the attack or whether there are any suspects.

The hacking tactic is growing fast against both individuals and institutions, but it’s difficult to say exactly how fast, and even tougher to say how many pay up.

During 2013, the number of attacks each month rose from 100,000 in January to 600,000 in December, according to a 2014 report by Symantec, the maker of antivirus software.

A report from Intel Corp.’s McAfee Labs released in November said the number of ransomware attacks is expected to grow even more in 2016 because of increased sophistication in the software used to do it. The company estimates that on average, 3 percent of users with infected machines pay a ransom.

Bitcoin, the online currency that is hard to trace, is becoming the preferred way for hackers collect a ransom, FBI Special Agent Thomas Grasso, who is part of the government’s efforts to fight malicious software including ransomware, told The Associated Press last year.

Stefanek also pointed out in his statement, “The reports of the hospital paying 9000 Bitcoins or $3.4 million are false. The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000.”

Stefanek said patient care at Hollywood Presbyterian was not affected by the hacking, and there is no evidence any patient data was compromised. The 434-bed hospital in the Los Feliz area of Los Angeles was founded in 1924, and was sold to CHA Medical Center of South Korea in 2004.

Reprinted here for educational purposes only. May not be reproduced on other websites without permission from CBSNews. Visit the website at cbsnews .com.


Questions

1. How did Hollywood Presbyterian Medical Center respond to ransom demands from hackers?

2. Why did the hospital respond in this way, according to hospital CEO Allen Stefanek?

3. How did the hackers hold the hospital’s computer network hostage?

4. a) What are bitcoins?
b) What is ransomware?

5. How can companies protect their computer systems from ransomware?

6. What information about the case was the reporter unable to ascertain?

7. Consider the following from Computerworld:

This Hollywood hospital didn’t backup its data?

…it appears the hospital failed with its disaster-recovery (DR). Looks like it either didn’t have backups, or the restore failed.

Oopsy daisy, hashtag-fail, oh noes, etcetera. In IT Blogwatch, bloggers see a lesson for all of us: Backups aren’t backups unless you can restore them!

And from Newsweek:

A Los Angeles hospital’s decision to pay a $17,000 ransom to hackers could lead to a proliferation of cyber attacks on critical infrastructure, experts tell Newsweek.

Experts say that succumbing to the hackers’ demands, could make further attacks more likely.

“I think whenever a ransom demand is shown to work for the bad guys—meaning victims pay up—it is an incentive for criminals,” independent cybersecurity expert Graham Cluley tells Newsweek.

“Paying up is definitely not a good thing to do in my opinion. But if an organization has failed to keep properly secured backups I can understand how they might feel they have no alternative.”

Dan Wiley, head of incident response and threat intelligence at the security firm Check Point, believes that attacks like the one against HPMC are likely to increase in scope as they are relatively simple to perform and the payoff was quite high.

All experts agree more needs to be done to prevent such attacks from taking place in the first place. One way of protecting against these types of ransom demands is to make sure data is securely backed up, otherwise they risk facing a “business ending event”. Adam Kujawa, head of malware intelligence at Malwarebytes, tells Newsweek that each successful attack leads to more dangerous versions of malware to be developed.

“Can we point the finger at Hollywood Presbyterian for making the problem worse? Well at least they did it for the sake of being able to help sick people by getting their operations back online,” Kujawa says.

“The truth is, companies and users have been paying off criminals using this kind of threat for years and this is just another example of the bad guys winning because the victims failed to take action before it was too late.”

What do you think: should the hospital have paid the ransom? Explain your answer.