Over a one-week period, the IT network of a Californian hospital was completely paralysed by a cyberattack and forced to declare an emergency.
A group of hackers, whose identities remain unknown, infected the IT networks of the Hollywood Presbyterian Medical Center, using malware to encrypt all the hospital’s data. The hackers initially demanded a ransom of 9,000 bitcoins (3.3 million euros) to allow the hospital to regain control over its data. A few days later, the pirates changed their minds and adjusted the demand to 40 BTC (approximately 15,000 euros), which the hospital eventually paid.
The encryption of data, combined with the rapid propagation of the malware through the hospital’s user terminals and servers, rendered several items of hospital equipment unusable. No longer able to provide full care services, or to access patients’ data, the hospital was forced to put safety first and moved almost 900 persons to another hospital in the region.
In addition to the inaccessibility of medical data, the hospital simultaneously lost its ability to communicate by e-mail, both internally and externally. This made it necessary to create medical files by hand or by fax. It was also not possible to communicate the results of MRI scans and other procedures directly to patients.
Hospital managers stated, however, that some day-to-day tasks were not affected and the hospital continued to treat patients.
A random target
According to a statement by the Director of the hospital, the establishment was not the victim of a targeted cyberattack, but rather of a massive, indiscriminate campaign of infection. It indeed appears possible that an employee mistakenly opened an infected attachment in an e-mail sent to thousands of potential victims. This method of infection allows hackers to raise the level of success of a campaign.
Regardless of the level of security of an IT network, and whatever its size (an individual, a business or – as in this case – a hospital), hackers do not necessarily require particular skills to infect and paralyse a victim. A simple phishing campaign carrying an attachment infected by DIY malware and aimed at someone who is not aware of social engineering threats is enough to compromise a network, obtain access to sensitive information, or even to disable an entire IT system.
A growing interest in healthcare establishments
Attacks against insurance companies, hospitals and healthcare providers seem to have increased in recent years. Since 2010, in the United States, 158 establishments in the healthcare field have reported attacks on their IT systems which compromised the security of their patients’ medical data.
This growing interest by hackers for personal medical data has resulted in a new law being introduced to oblige hospitals to make public any leak of data involving more than 500 patients.