On the ground at the LA hospital taken hostage by hackers
Hollywood Presbyterian Medical Center, the Los Angeles hospital recently struck by a computer-disabling cyberattack, was a surprisingly calm place on Wednesday.
Media had described the hospital as paralyzed by hackers, but aside from some chit-chat about computer problems in the hospital cafeteria and one employee’s frustrated Instagrams, the place appeared to be operating normally. Names are called out from a list in the emergency room waiting area. Nurses wheel a grandmother to visit a small girl in the main hallway. A woman with a baby gets dropped off by a Lyft car at the front entrance, and a Maserati waits nearby to be valet parked. Everything would seem a picture of banal order–unless you’d heard the significant, sometimes sensationalized news that the hospital had, in fact, been royally hacked, its computers taken hostage.
Two weeks earlier, on February 5th, criminals had used malware called ransomware to lock down critical computer systems and functionality, significantly hampering the hospital’s operations. The hackers demanded a ransom, in Bitcoin of course, to release the code that would let the hospital regain access to its own systems and files.
By Wednesday night, the ordeal was over.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this,” wrote Allen Stefanek, the hospital’s president and CEO, in a statement released Wednesday evening.
Malware downloaded onto one of the hospital’s computers affected its “enterprise-wide hospital information system,” blocking access to certain systems and preventing electronic communications within the hospital, according to the statement. The ransom asked for and paid was 40 Bitcoins, equivalent to about $17,000–far less than the $3.4 million ransom that had been widely reported after the attack was made public.
A spokesperson for the hospital declined to comment or elaborate further.
The attack is a typical if high profile example of “ransomware,” a form of crypto-extortion. The hospital is far from the first victim. Law firms, small businesses, and even police departments have suffered the attacks. Most of them, like the hospital, end up paying the ransoms. Like a kidnapped child, our digital information is just too valuable to risk.
When the attack on Hollywood Presbyterian was first noticed, the hospital claims it immediately contacted law enforcement. The LAPD, the FBI and “computer experts” launched investigations into the attack–though the Los Angeles Times reports that law enforcement sources claim the hospital paid the ransom before reaching out. The LAPD referred queries to the FBI, which did not respond to an interview request.
The lockdown disabled many of the hospital’s computer systems, forcing it to rely on paper records and documents as well as fax machines for communications. An early report from NBC Los Angeles cites an unnamed doctor who said the hacked computers made it impossible to transmit lab work, share X-rays and scans, and access some medical records. Some patients were reportedly moved to different hospitals. A video shared on Instagram shows hospital workers manually scanning printed medical documents, then shredding the paper.
Though the attack was a disruption, the hospital claims no danger was posed to the people in its care. “Patient care has not been compromised in any way. Further, we have no evidence at this time that any patient or employee information was subject to unauthorized access,” the hospital’s statement reads.
It’s unclear when the problem was resolved. The hospital’s statement claims that access to its electronic medical record system was restored on Monday, February 15. How long the attack and lockdown affected other capabilities was not explained.
While the hospital maintains that this attack was ultimately minor, it raises concerns within the industry and beyond about the threat of malicious hackers attacking public-serving institutions that increasingly rely on networked systems and smart devices. Centrally controlled infrastructure is evidently susceptible to these types of attacks and capable of affecting large amounts of innocent people.
Exactly how the hospital’s system was breached has not yet been fully explained. In the meantime, other organizations–from hospitals to public utilities to government entities–may consider adjusting their security systems and protocols. Relatively little damage was caused by this attack. But it’s easy to imagine how such a situation could have resulted in much more significant costs than the $17,000 the hospital paid.
Nate Berg is a journalist covering cities, design and technology. He is based in Los Angeles.