It's been widely reported that Hollywood Presbyterian Medical Center experienced a ransomware attack on February 5 that encrypted their data and disabled their network. The hospital was forced to revert to paper and faxes to relay patient information, and hospital operations were so strained that they succumbed to the cyberattack and paid the hackers 40 bitcoins, or about $17,000, to get the decryption key.
And this isn't the first cyberattack against a hospital. Last month, Mount Pleasant Texas-based Titus Regional Medical Center (TRMC) experienced a ransomware attack on its electronic health record system, encrypting files on several of TRMC's data base services, blocking their ability to enter or retrieve patient data in the EHR.
Unfortunately, these events only reinforce what those in the cybersecurity world have always known: Hackers have no ethical limitations and clearly are not dissuaded by the risk that sick people could suffer or even die because of their malicious hacking activities. It's a sad reality of the digital age.
This also highlights the fact that the healthcare industry is relatively inexperienced in handling these types of online attacks. Other industries faced with ransomware attacks have learned the hard way that paying online hackers such ransoms is only an invitation for further cyberattacks, not only on the same organization, but on others in the industry as well.
While the Hollywood Presbyterian and TRMC attacks may not have been conducted through a DDoS or web application attack, DDoS attacks tied to extortion attempts are increasing in number and at an alarming rate. And as we've been telling healthcare providers for a while now, DDoS threats are real for them - they don't just happen to industries like gaming or retail. Until now, the main threats have been either pure malicious attacks (such as a DDoS attack done in the name of the Anonymous hacktivist group on a Boston-area hospital) or as diversions to web application attacks or data breaches. Now we see that DDoS for ransom is also a threat.
HIMSS conducted a survey last year of hospitals and healthcare providers, and the results showed that only 42% of hospitals have any kind of DDoS protection in place. This is a disturbing statistic when we see the threat of DDoS only increasing for hospitals. Far too many hospitals are not prepared for this threat, and this may mean even more of these disturbing stories of extortion cyberattacks on hospitals.