Not too long ago, putting online the nation’s wild, messy, unreliable system of medical records seemed like a worthy goal.
“To improve the quality of our health care while lowering its cost, we will make the immediate investments necessary to ensure that, within five years, all of America’s medical records are computerized,” President Obama said in 2009. “This will cut waste, eliminate red tape and reduce the need to repeat expensive medical tests.”
While the shift that Obama and many others pushed may have improved care, electronic medical records led to quite the unique hostage situation in Los Angeles this week. There, a hospital fell prey to a cyberattack — and the hospital has escaped its plight by paying hackers a $17,000 ransom.
Allen Stefanek, president and chief executive of Hollywood Presbyterian Medical Center, explained the situation in a statement Wednesday.
“On the evening of February 5th, our staff noticed issues accessing the hospital’s computer network,” he wrote. “Our IT department began an immediate investigation and determined we had been subject to a malware attack. The malware locked access to certain computer systems and prevented us from sharing communications electronically.”
What communications needed to be electronically shared? As Stefanek got around to pointing out a few paragraphs later, medical records. As reports emerged of the hospital being forced to resort to the prehistoric days of paper charts, at least one patient was feeling the pain.
“I wasn’t feeling very well, went in for a checkup and they said their computers were down,” patient Melissa Garza told Fox 11 last week. “I asked, ‘What’s going on here?’ and they said, ‘We were hacked.'”
But all was now well, Stefanek said Wednesday.
“All systems currently in use were cleared of the malware and thoroughly tested,” he wrote. “We continue to work with our team of experts to understand more about this event.”
Stefanek also said that reports of the ransom payment were greatly exaggerated.
“The reports of the hospital paying 9000 Bitcoins or $3.4 million are false,” the statement said. “The amount of ransom requested was 40 Bitcoins, equivalent to approximately $17,000.”
For a 434-bed hospital with more than 500 doctors that’s generated as much as $209 million in yearly revenue, perhaps that wasn’t so much. But wasn’t any amount too much? Could anonymous computer wizards potentially compromise care and get away with it?
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Stefanek’s statement said. “In the best interest of restoring normal operations, we did this. ”
Experts agreed this was a familiar course of action.
“Unfortunately, a lot of companies don’t tell anybody if they had fallen victim to ransomware and especially if they have paid the criminals,” Adam Kujawa, malware intelligence head for Malwarebytes, a San Jose-based company that recently released software designed to thwart such attacks, told the Associated Press. “But I know from the experiences I hear about from various industry professionals that it’s a pretty common practice to just hand over the cash.”
But Hollywood Presbyterian, owned by CHA Medical Center of South Korea, said not to worry.
“Patient care has not been compromised in any way,” Stefanek wrote. “Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access.”
If that’s true, Hollywood Presbyterian has avoided potential disaster. To name just one example of a health-care-related computer attack, the hack of a hospital operator in Tennessee compromised the personal information of 4.5 million people in 2014.
“Any time you are offering any type of information you consider personal, private or sensitive, you have to be aware that the minute you provide it to a third party, you’re reliant on them to protect it,” Mark Burnette, a security and risk attorney, said at the time of the Tennessee hack. He pointed out that the emergency room is not a great place to ask about data privacy: “If you are in need of life-saving medical care, you’re not going to stop and say, ‘Hey, before you start to operate, can you tell me if you’re going to protect my information?'”
Even police departments have coughed up ransom payments to get their data back.
“A major criticism of electronic medical records in America is that the companies that make them have financial incentives to keep them from being easily shared,” Kaiser Health News wrote in 2014. “It’s kind of like Windows versus Mac operating systems. Many companies are trying to win market share by creating software that doesn’t ‘talk’ to that made by other companies, so if a big hospital uses software from company X, then all the doctors that work with that hospital will have an incentive to buy that software, too.”
The FBI is investigating the attack on Hollywood Presbyterian, but it did not release details.