Hackers demand ransom from California hospital
Hollywood Presbyterian Medical Center has been the victim of a recent cyber-attack that shut down the hospital’s network and placed it in a state of crisis. The attack was conducted using a type of malware known as ransomware. The hack has caused a state of emergency for the hospital and has compromised the hospital’s ability to care for its patients. Medical professionals have been unable to access patient records stored on the hospital’s network, and it is unknown whether patient or employee records have been compromised in the attack. The attackers are demanding an unprecedented $3.6 million ransom to release the hospital’s network. (You can read more about the story here.)
From a cybersecurity perspective, ransomware infects computers and restricts users’ access to their files or threatens the permanent destruction of their information unless a ransom is paid. There are different types of ransomware — some prevent users from accessing their computer’s operating system, some encrypt files to prevent access and others stop certain applications from running (such as a web browser). Ransomware can infect a computer via a malicious email or website, or attackers can deliver it directly if they’ve already infected a computer with a backdoor through which they can enter. Several individuals and organizations have been victims, and, in January 2015, the FBI issued a warning that there has been an uptick in the use of ransomware by cyber criminals lately.
This is the first high profile incident of ransomware used against a hospital. It remains to be seen what the HIPAA implications are from this event. It was reported that the hospital has stated that there is no evidence that medical records have been accessed or extracted by the hackers. It appears the ransomware may only be blocking the hospital from its own system. However, if the hackers have control of the medical records, it would appear that this would be a HIPAA breach. Additionally, the HIPAA Security Regulations require that a covered entity have procedures for obtaining necessary electronic protected health information during an emergency. The preamble to the regulations state that “…in a situation when normal environmental systems, including electrical power, have been severely damaged or rendered inoperative due to a natural or man-made disaster, procedures should be established beforehand to provide guidance on possible ways to gain access to needed electronic protected health information.” This may not be exactly what they had in mind by “man-made disaster,” but it would seem to present the same issue and, thus, may be a HIPAA violation merely if the hospital cannot access its own records.