Cyberattack on Hollywood hospital exposes vulnerability of digital records

A cyberattack on a hospital in Hollywood shows how vulnerable doctors and patients have become as health care data is transferred to the national Electronic Health Records system.

The Federal Bureau of Investigation is still investigating the cause of a cyberattack that crippled the patient data electronic database at the Hollywood Presbyterian Medical Center and forced patients and staff to relay chart information by telephone, fax machine, and old-fashioned doctor shorthand.

"It's right there on paper, but it may not be legible," Rangasamy Ramanathan, a specialist who works with the hospital told Reuters. "The only problem is doctors' writing."

Cyberattacks on health care facilities can have much deeper implications for patients than long wait times, however, even for those who had no contact with the hospital during or immediately after the attack, as the Monitor's Passcode correspondent Jaikumar Vijayan wrote following the massive hack into the Premera Blue Cross computer system exposing data of millions of Americans:

While hackers who break into banks can get away with millions of credit card numbers, increasingly hackers are targeting healthcare networks for repositories of names, Social Security numbers, birth dates, bank account information, claims information, and clinical data....

Not only is this information being traded on the black market for people to commit identity theft, it's also being used to obtain prescription drugs and commit insurance fraud. For the individuals whose identities are used to perpetrate these crimes, their own medical treatments may be impacted, their health insurance disrupted, and their credit scores lowered.

Medical identity theft impacted an estimated 2.3 million in 2014, a 21 percent increase from 2013, and cost victims an average of $13,500, according to the Ponemon Institute, a security and privacy research organization.

In the case Hollywood hospital attack, the hackers used a malware called ransomware, meaning they encrypted the hospital's data and demanded 9,000 bitcoins – about $3 million – to return it, MIT Technology Review reported. The hospital's electronic data system has been turned off for almost a week since, and the hospital president and chief executive officer Allen Stefanek declared an internal emergency because of the information technology problems caused by the hack. 

The transfer of all medical record to the the Electronic Health Records system has created an opportunity that hackers are proving eager to exploit, for despite holding more personal data than either retailers or banks, hospitals and insurance companies have so far been slower to protect it, Mr. Vijayan previously reported for Passcode.

“When you look at any crime, it requires motive and opportunity," Rob Sadowski, director of technology solutions at RSA, the security arm of EMC Corp, told Vijayan.

This report contains information from Reuters.

[Editor’s note: The original version of this story misspelled the name of RSA's Rob Sadowski. In an update, the Hollywood Presbyterian Medical Center paid about $17,000 to the hackers to retrieve its data on Thursday.]