The cyberattack on MedStar Health – one of the biggest health-care systems in the Washington region – is a foreboding sign that an industry racing to digitize patient records and services faces a new kind of security threat that it is ill-prepared to handle, security experts and hospital officials say.
For years, hospitals and the health-care industry have focused on keeping patient data from falling into the wrong hands. But the recent attacks on MedStar’s network and other hospitals across the country highlight an even more frightening downside of security breaches: As hospitals have become dependent on electronic systems to coordinate care, communicate critical health data and avoid medication errors, patients’ well-being may also be at stake when hackers strike.
Hospitals are used to chasing the latest medical innovations, but they are rapidly learning that caring for sick people also means protecting medical records and technology systems from hackers. An industry that has traditionally spent a small fraction of its budget on cyberdefense is finding that it also must teach doctors and nurses not to click on suspicious online links and shore up its technical systems against hackers armed with an ever-evolving set of tools.
In some ways, health care is an easy target: Its security systems tend to be less mature than those of other industries, such as banking and tech, and its doctors and nurses depend on data to perform time-sensitive, lifesaving work. Where a financial-services firm might spend a third of its budget on information technology, hospitals spend only about 2 to 3 percent, said John Halamka, the chief information officer of Beth Israel Deaconess Medical Center in Boston.
“If you’re a hacker . . . would you go to Fidelity or an underfunded hospital?” Halamka said. “You’re going to go where the money is and the safe is easiest to open.”
The stakes are extraordinarily high. Hospitals’ electronic systems are often in place to help prevent errors. Without computer systems, pharmacists cannot easily review patients’ lab results, look up what other medications the patients are on or figure out what allergies they might have before dispensing medications. And nurses administering drugs cannot scan the medicines and the patients’ wristbands as a last check that they are giving the correct treatments. When lab results exist only on a piece of paper in a patient’s file, it is possible they could be accidentally removed by a busy doctor or nurse – and critical information could simply disappear.
In MedStar’s case, a virus early this week infiltrated its computer systems, forcing the health-care giant to shut down its entire network, turn away patients, postpone surgeries and resort to paper records.
“One thing I think is becoming clear, especially over the last few weeks or months, is that health care is rapidly becoming a target for this,” said Daniel Nigrin, chief information officer of Boston Children’s Hospital, whose network came under attack by the hacker collective Anonymous in April 2014. “What struck us at that point was, you know what? These attacks can do a lot more than get your data; they can really disrupt the day-to-day operations of your facilities.”
Although a handful of hospitals nationwide have been victims of cyberattacks in recent weeks, the MedStar security breach shows hackers’ increasing boldness and sophistication.
The chain is one of biggest employers in the Baltimore-Washington region and runs 10 hospitals as well as 250 clinics and other sites. MedStar spokeswoman Ann Nickels declined to elaborate on what sort of software attack the hospital suffered, but several employees have said they saw a pop-up message suggesting that it was “ransomware” – software that can lock people out of systems until they make a bitcoin payment. According to a photo of the pop-up message provided by a MedStar Southern Maryland Hospital Center employee, the hackers were demanding 45 bitcoins – equivalent to about $19,000 – to restore access to MedStar’s system.
“You just have 10 days to send us the Bitcoin,” the note read. “After 10 days we will remove your private key and it’s impossible to recover your files.”
Nickels said MedStar saw “no indication that data has left our system” or that patient privacy had been compromised. In a statement, the health-care system said it had not paid any type of ransom. A Friday-afternoon update from the hospital said MedStar was “approaching 90 percent functionality” of its systems.
Ransomware is not new, but cybersecurity experts and FBI data say its use is on the rise. Hospitals, of course, are not the only institutions facing such attacks. In nine months in 2014, the FBI received 1,838 complaints about ransomware, and it estimates that victims lost more than $23.7 million. The next year, the bureau received 2,453 complaints, and victims lost $24.1 million. The FBI does not condone the paying of ransoms, but its agents acknowledge that businesses are often left with a tough choice.
Hospitals, in particular, are vulnerable. In the weeks before the attack on MedStar, hackers hit Hollywood Presbyterian Medical Center in Los Angeles, extorting $17,000 worth of bitcoins, and Kentucky-based Methodist Hospital, which declared a state of emergency after an attack. Two Southern California hospitals, part of Prime Healthcare Services, were attacked in March.
Justin Harvey, the chief security officer of Fidelis Cybersecurity, said the hackers’ success is likely to make them bolder, and he worries about critical infrastructure in the United States.
“I can’t comment on whether the [Federal Aviation Administration] and all the power grids are up to snuff,” he said. “If they’re not, it can create a big problem.”
Craig Williams, security outreach manager at Talos, the cybersecurity research group of Cisco, said the use of ransomware has exploded because it yields good profit margins. He estimated that it is a $100 million-a-year business.
“The malware industry is making giant steps toward ransomware, and really, the reason behind this is ransomware’s profit margin simply exceeds that of other types of criminal activity,” Williams said.
The way hackers get into a system is generally through a phishing attack – persuading an unsuspecting employee to click on a link or an attachment in an email – or by finding a network vulnerability.
That leaves hospitals with two challenges: designing systems that can resist attack and training employees.
On the network side, Williams said health-care companies – or any companies – that do not have full-time security specialists may not be keeping up with the latest problems and patches. He noted that one strain of ransomware exploits a well-known vulnerability in networks, and when his team did a scan of the Internet this week, it found 2.1 million servers that would be susceptible to such an attack.
The cultural problem may be even harder to solve.
“You’re as vulnerable as your most gullible employee,” Halamka said.
At Beth Israel, the hospital has printed up stickers that appear on salad containers and cookie packaging in the cafeteria so that people are reminded, even when eating lunch, not to click on links in emails they did not expect to receive. The hospital also has conducted internal phishing campaigns – sending fake emails to employees to assess where risks exist and to see whether extra cybersecurity training is needed.
Experts said the recent attacks seem to be based in Eastern Europe, although it is hard to tell whether one group alone is responsible. The hacks have similarities, to be sure, but hackers trade tools and information. One concern is that as the attacks gain coverage, they will inspire more copycats who will use the same technique to target other vulnerable networks.
“This thing is an industry, the black market that does this type of activity,” said Chris Ensey, chief operating officer at Dunbar Security Solutions.
The details of MedStar’s particular case – including what ransomware might have been used and how it got into the system – remain murky. An FBI spokesman declined to provide any details – including on the type of possible ransomware – other than to say the bureau was “aware of the incident and is looking into the nature and scope of the matter.”
– – –
Washington Post staff writer John Woodrow Cox contributed to this story.