The hackers demanded 9,000 bitcoins, the equivalent of $3.65 million, to unlock the machines at Hollywood Presbyterian, which is at least the fourth hospital this year to be reportedly affected by ransomware.
(TNS) -- A Southern California hospital fell victim to hackers last week — offering a glimpse at one of many digital threats facing health care.
Criminals reportedly infected Hollywood Presbyterian Medical Center computers with ransomware — malware that cryptographically locks devices. The thieves have demanded 9,000 bitcoins, the equivalent of $3.65 million, to unlock the machines, according to sources who spoke with Los Angeles television stations.
Though there are no recorded patient injuries or deaths tied to cyberattacks, digital security in hospitals, and, perhaps, more importantly in medical devices such as pacemakers and MRI machines, has become a growing concern in the industry.
When Avi Rubin began taking tours of East Coast hospitals in the 1990s, he found myriad reasons to worry.
Sloppy password protections at computer labs, practices vulnerable to tampering, and drug dispensing robots controlled by software.
“What if something went wrong with that software?” said Rubin, a Johns Hopkins University computer science professor, at the Enigma Conference, a security gathering in San Francisco last month.
“What if someone were attack this system and cause all the drugs to be wrong?”
If those changes weren’t noticed, thousands of people could receive incorrect dosages or medication. They could die.
The Hollywood Presbyterian incident isn’t nearly that severe.
Ransomware has long been a threat for Internet users, with thieves generally holding up individuals and businesses. The recent attack at Hollywood Presbyterian proves that the risk is real in the medical world as well.
“It’s hugely significant,” said Rubin. “It’s a demonstration in the wild of the kind of thing that’s possible.
“It’s one thing to say that hospitals are in the sights of criminals. ... It’s another when someone does it, and you see it’s not just theoretical.”
While medical care providers face the same type of threats as anyone who uses a computer, medical device makers are shoring themselves up against the risk of specialized attacks.
In recent years, the medical device industry and regulators have taken action:
Balancing innovation against regulation is crucial, said Scott Erven, a medical device IT security consultant and associate director with the consulting firm Protiviti, who attended and spoke at that FDA workshop.
“Knee-jerk reactions aren’t a good thing,” he said. “If (manufacturers) stop bringing devices to market that would ultimately cost more lives.”
These are thorny issues for regulators — and controversial ones for those in the industry. Even the FDA’s attempts to establish disclosure programs have generated debate.
“When I talk to lawyers, they think that these disclosures are a terrible idea,” said Rubin. “It kind of gives the hackers a blueprint of who is more vulnerable, because if you’re having to share that you’ve been hacked and you’re doing it more than others, (criminals) may say: ‘These guys are easy to hack. Let’s go after them.’
“And they may be right.”
Physicians’ rules of first doing no harm apply equally to doctors, as well as cybersecurity practitioners, said Kevin Fu, the director of the Archimedes Center for Medical Device Security at the University of Michigan.
As cybersecurity in hospitals has evolved, patient safety is taking precedent over computer hygiene.
The priority has always been treating patients. That’s different than, say, in financial services, where the immediate risk of loss of cash has provided a strong incentive to focus on cybersecurity.
“They are more concerned with introducing a change with a (software) patch that could cause harm to human lives,” said Andrew Hay, the chief information security officer at DataGravity, a data management and storage startup.
For example, Fu explains, pacemakers are now adjusted wirelessly where once patients and doctors risked infections by calibrating a recipients’ heartbeats manually by periodically inserting the equivalent of a rod into their armpit to reach the device.
“Patients are far better off with these devices than without them,” he said. “If I was prescribed one of these devices today I’d take it in a heartbeat.”
For sure, no pun intended.
“Even though I’m a researcher, I consider (cybersecurity) a secondary factor in (medical device) safety.”
©2016 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.