Home Health & Hospice Week

Should you pay a ransom to get your PHI back?

Jaws dropped in the healthcare industry when news broke of a Los Angeles hospital’s decision to pay hackers a ransom to retrieve control of their computer systems. This case begs the question: Was the decision to give in and pay the ransom the right choice?

Background: In February, Hollywood Presbyterian Medical Center announced that it paid 40 Bitcoins (equivalent to $17,000) to hackers that deployed malware into the hospital’s computer systems, locking access and preventing the hospital from sharing electronic communications. Although the malware affected the hospital’s electronic medical record (EMR) system containing patients’ protected health information (PHI), the hospital claimed that patient care wasn’t compromised, and that there is no evidence that any unauthorized access of patient or employee information occurred.

The malware locked Hollywood Presbyterian’s systems by encrypting files, and then the hackers demanded that the hospital pay a ransom to obtain the decryption key. “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” hospital President & CEO Allen Stefanek said in a statement.

Get Ready for Your Wake-Up Call

Reaction: “The Hollywood Presbyterian incident has been a huge wake-up call for healthcare and has finally allowed information security to have the respect it deserves in the boardroom,” notes HIPAA expert Jim Sheldon-Dean, founder and direct of compliance services at Lewis Creek Systems in Charlotte, Vt. “Healthcare has traditionally been less sophisticated when it comes to information security … [but] now is the time to get serious about protecting systems, because lives and institutions are at stake.”

Problem: “Healthcare institutions are in a tough space,” says Larry Whiteside Jr., Vice President of Healthcare and Infrastructure for Optiv, a Denver-based cybersecurity solutions firm. “They have low margins and have to figure out how to spend their money wisely. Security has for decades been their last choice of spend.”

And despite cyber attackers’ increases in sophistication, “unfortunately, hospital systems have not kept up with the times in changing their endpoint methodologies,” Whiteside warns.

Could This Attack Be A Sign Of A ‘Pandemic?’

Like many industry experts, the attack on Hollywood Presbyterian didn’t surprise Whiteside, but now there is more media attention on how healthcare organizations are easy targets for cyberattacks.

“Healthcare data is more valuable to hackers than credit cards since more information can be gleaned from it,” he notes. “It is the beginning of a pandemic hitting health systems in the next few years.”

This isn’t a “first-of-its-kind” attack, but it’s the first to get a lot of publicity — mostly because initially the media misreported the ransom as in the millions of dollars range, Sheldon-Dean notes.

“These attacks have been underway for some time and are on the increase, to be sure.”