The Case of the Hacked Hospital: When a Cyber Breach Becomes a Health Crisis

Recently, we noted vulnerability issues from use of the Internet of Things and how that has come to impact the health industry. Recent events continue to highlight this development. Since the start of the year, there have been cyber attacks targeting hospitals. Perhaps recognizing the extensive disruption and potential privacy concerns to patients, the hackers have targeted these institutions to either make a point or seek large sums in exchange for returning access to the hospital data. In January, Hurley Medical Center, based in Flint, Mich., was attacked, although a spokesperson stated that policies and protocols were followed and patient care was not compromised. The hacktivist group Anonymous released a video with the hashtag #OpFlint prior to the cyber attack and suggests responsibility for the breach to make a point regarding the city’s water crisis, although no confirmation has been made.

This month, Hollywood Presbyterian Medical Center succumbed to a ransomware attack and did not fare as well as Hurley. (Ransomware is a type of malware that blocks access to the infected computer system.) In exchange for access to be restored, the malware demands that the user pay a ransom to the malware operators to remove the restriction. A growing number of cybercriminal organizations are using deceptive links and websites to install this type of malicious software to hold your data/system for ransom. Infected machines display messages which demand payment in order to restore functionality. Recent versions have become even more savvy, allowing hackers to encrypt the victim’s data so that even if the victim is able to restore access to the computer system, there will be no way to unlock the data. In the case of Hollywood Presbyterian, the cyber breach prevented access to the hospital’s computer systems, email and data, causing hospital employees to resort to handwritten notes and faxes. After declaring an emergency, the hospital ultimately paid out about $17,000 worth of the bitcoins, deeming it “the most efficient way to solve the problem.” (Initial reports stated that the hackers responsible for the cyber attack originally demanded $3.4 million to be paid in the digital “currency.”)

These incidents emphasize the need for companies to implement a robust cybersecurity policy to protect not only the companies’ own systems but the data of its customers. It is critical for all companies to educate employees on the proper use of the Internet of Things as part of their job (not to mention the use of the Internet and social media). While this is not all that different in terms of best practices—employees need to be educated on identifying suspicious emails, refraining from clicking on links or websites they do not recognize, etc.—the ubiquity of household and workplace items that are now themselves repositories of data and connected to the Internet means there are many more opportunities for a cyber thief to benefit from a momentary lapse in cybersecurity.

As the case of Hollywood Presbyterian shows, a cyber breach is no longer just a matter of stolen emails and personal data—though those are certainly serious matters—it can also now directly affect the heath of those whose data is targeted. This latest case of the hacked hospital shows just another way that, when it comes to cybersecurity, the stakes have been raised for us all.