The cyberattack on MedStar Health — one of the biggest health-care systems in the Washington region — is a foreboding sign that an industry racing to digitize patient records and services faces a new kind of security threat that it is ill-prepared to handle, security experts and hospital officials say.
For years, hospitals and the health care industry have been focused on keeping patient data from falling into the wrong hands. But the recent attacks at MedStar and other hospitals across the country highlight an even more frightening downside of security breaches: As hospitals have become dependent on electronic systems to coordinate care, communicate critical health data and avoid medication errors, patients’ well-being may also be at stake when hackers strike.
Hospitals are used to chasing the latest medical innovations, but they are rapidly learning that caring for sick people also means protecting their medical records and technology systems against hackers. An industry that has traditionally spent a small fraction of its budget on cyberdefense is finding it must also teach doctors and nurses not to click on suspicious links and shore up its technical systems against hackers armed with an ever-evolving set of tools.
In some ways, health care is an easy target: Its security systems tend to be less mature than those of other industries, such as banking and tech, and its doctors and nurses depend on data to perform time-sensitive, life-saving work. Where a financial-services firm might spend a third of its budget on information technology, hospitals spend only about 2 to 3 percent, said John Halamka, the chief information officer of Beth Israel Deaconess Medical Center in Boston.
“If you’re a hacker… would you go to Fidelity or an underfunded hospital?” Halamka said. “You’re going to go where the money is and the safe is easiest to open.”
The stakes are almost uniquely high. Hospitals’ electronic systems are often in place to help prevent errors. Without computer systems, pharmacists can’t easily review patients’ lab results, look up what other medications the patients are on or figure out what allergies they might have before dispensing medications. And nurses administering drugs can’t scan the medicines and the patients’ wristbands as a last check that they’re giving the correct treatments. When lab results exist only on a piece of paper in a patient’s file, it’s possible they could be accidentally removed by a busy doctor or nurse — and critical information could simply disappear.
In MedStar’s case, a virus early this week infiltrated its computer systems, forcing the health-care giant to shut down its entire network, turn away patients, postpone surgeries and resort to paper records.
“One thing I think is becoming clear, especially over the last few weeks or months, is that health care is rapidly becoming a target for this,” said Daniel Nigrin, chief information officer of Boston Children’s Hospital, whose network came under attack by the hacker collective Anonymous in April 2014. “What struck us at that point was, you know what? These attacks can do a lot more than get your data; they can really disrupt the day-to-day operations of your facilities.”
Although a handful of hospitals nationwide have been the victims of cyberattacks in recent weeks, the MedStar security breach shows hackers’ increasing boldness and sophistication. The chain is one of biggest employers in the Baltimore-Washington region and runs ten hospitals as well as 250 clinics and other sites. MedStar spokeswoman Ann Nickels declined to elaborate on what sort of software attack the hospital suffered, but several employees have said they saw a pop-up message suggesting it was “ransomware” — a kind of software that can lock people out of systems until they make a bitcoin payment. According to a photo of that message provided by a MedStar Southern Maryland Hospital Center employee, the hackers were demanding 45 bitcoins — equivalent to about $19,000 — to restore access to MedStar’s system.
“You just have 10 days to send us the Bitcoin,” the note read. “After 10 days we will remove your private key and it’s impossible to recover your files.”
Nickels said Medstar saw “no indication that data has left our system” or that patient privacy had be compromised. In a statement, the health-care system said that it had not paid any type of ransom. In a Friday-afternoon update, the hospital said that MedStar was “approaching 90 percent functionality” of its systems.
Ransomware is not new, but cybersecurity experts and FBI data say its use is on the rise. Hospitals, of course, are not the only institutions facing such attacks. In a nine-month period in 2014, the FBI received 1,838 complaints about ransomware, and it estimates that victims lost more than $23.7 million. The next year, the bureau received 2,453 complaints, and victims lost $24.1 million. The FBI does not condone paying ransom, but its agents acknowledge that businesses are often left with a tough choice.
And hospitals, in particular, are vulnerable. In the weeks before the attack on MedStar, hackers hit Hollywood Presbyterian Medical Center in Los Angeles, extorting $17,000 in bitcoin out of the leadership, and Kentucky-based Methodist Hospital, which declared a state of emergency after an attack. Two southern California hospitals, part of Prime Healthcare Services, were attacked in March.
Justin Harvey, the chief security officer of Fidelis Cybersecurity, said the hackers’ success is likely to make them bolder, and he worries about critical infrastructure in the United States.
“I can’t comment on whether the FAA and all the power grids are up to snuff,” he said. “If they’re not, it can create a big problem.”
Craig Williams, security outreach manager at Talos, the cybersecurity research group of Cisco, said that the use of ransomware has exploded because it has good profit margins. He estimated it as a $100 million a year business.
“The malware industry is making giant steps toward ransomware, and really, the reason behind this is ransomware’s profit margin simply exceeds that of other types of criminal activity,” Williams said.
The way hackers get into a system is generally through a phishing attack – persuading an unsuspecting employee to click on a link or an attachment in an email – or by finding a network vulnerability.
That leaves hospitals with two challenges: designing systems that can resist attack and training employees.
On the network side, Williams said that health-care companies – or any companies — that do not have full-time security specialists may not be keeping up with the latest problems and patches. He noted that one strain of ransomware exploits a well-known vulnerability in networks, and when his team did a scan of the Internet this week, they found 2.1 million servers that would be susceptible to such an attack.
The cultural problem may be even harder to solve.
“You’re as vulnerable as your most gullible employee,” Halamka said.
At Beth Israel, the hospital has printed up stickers that appear on salads and cookies in the cafeteria, so that people are reminded, even when eating lunch, not to click on links in emails they didn’t expect to receive. The hospital has also conducted its own internal phishing campaigns – fake emails that they send to their employees to see whether they need to do extra training and assess where the risks exist.
Experts said the current attacks seem to be based in Eastern Europe, although it is hard to tell whether one group alone is responsible. The hacks have similarities, to be sure, but hackers trade tools and information. One concern is that as the attacks gain more news coverage, they will inspire more copycats who will use the same technique to target other vulnerable networks.
“This thing is an industry, the black market that does this type of activity,” said Chris Ensey, the chief operating officer at Dunbar Security Solutions.
The details about MedStar’s particular case – including what particular version of ransomware might have been used and how it got into the system – remain murky. An FBI spokesman declined to provide any details – including on the type of possible ransomware – other than to say the bureau is “aware of the incident and is looking into the nature and scope of the matter.”