Thanks, Obamacare —

Hospital pays $17k for ransomware crypto key

Hollywood Presbyterian says systems were restored after 10-day lockout.

Health IT's security problems run deep.
Health IT's security problems run deep.
Sean Gallagher

Hollywood Presbyterian Medical Center, the Los Angeles hospital held hostage by crypto-ransomware, has opted to pay a ransom of 40 bitcoins—the equivalent of $17,000—to the group that locked down access to the hospital's electronic medical records system and other computer systems. The decision came 10 days after the hospital lost access to patient records.

"HPMC has restored its EMR on Monday, February 15th," President and CEO of Hollywood Presbyterian Medical Center Allen Stefanek wrote in a statement published by the hospital late Wednesday. "All clinical operations are utilizing the EMR system. All systems currently in use were cleared of the malware and thoroughly tested. We continue to work with our team of experts to understand more about this event."

The first signs of trouble at HPMC came on February 5, when hospital employees reported being unable to get onto the hospital's network. "Our IT department began an immediate investigation and determined we had been subject to a malware attack," Stefanek wrote. "The malware locked access to certain computer systems and prevented us from sharing communications electronically."

"Law enforcement was immediately notified. Computer experts immediately began assisting us in determining the outside source of the issue and bringing our systems back online," the statement said.

The hospital staff was forced to move back to paper and transmit information to doctors and others by fax machine while the IT team and outside consultants struggled to restore the network. Eventually, hospital executives decided that "the quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Stefanek explained. "In the best interest of restoring normal operations, we did this."

Hospital officials maintain that there is no evidence that patient data was stolen from the network, and Stefanek said that "patient care was not compromised in any way." During the shutdown, however, some emergency call patients were diverted to other hospitals, according to local news reports. Stefanek admitted last week that the emergeny department had been "sporadically impacted."

Stefanek did not say how the malware was introduced into the hospital's EMR system. But the leading suspect, according to sources familiar with the investigation, is a phishing attack—likely a link in an e-mail that was clicked by a hospital employee on a computer with access to the EMR system.

Channel Ars Technica