Hollywood Hospital Hack Overview

Last week there was quite a bit of discussion in the news concerning the Hollywood hospital hack.  So, this week we’re going to take a brief break from our NSA Watch Your Back series to discuss why this attack is more important than most people realize.

As a quick refresher, on February 5th, 2016 Hollywood Presbyterian Medical Center experienced a large breach in security when ransomware hit the medical center’s network.  Note:  Many news organizations were referring to Hollywood Presbyterian Medical Center as Hollywood Hospital and so we will do so as well for familiarity to the reader.  NBC Los Angeles was one of the first news organizations to report the breach.

For those of you who haven’t heard of ransomware, it is one of the new evolutions of viruses that is now being regularly seen on the internet.  Typically, what happens is that the ransomware will do one of a couple of things:  lock the user out of their computer until they pay a ransom, or the ransomware will encrypt all of the files on the computer (and reachable network drives) and then require the owner to pay a ransom in Bitcoin.  In the end the Hollywood hospital hack cost the medical center $17,000 (40 Bitcoins).

Ransomware is a (dis)reputable business from the criminal hacking world.  Disreputable in that what they’re doing is just plain wrong.  But, reputable in that if you pay the ransom then the attackers will release your computer from being held hostage.  It’s just business to them.  The attackers want everyone to know that if you pay the ransom then access to your data will be restored.  The executives in charge were probably informed of this and so made the decision to simply pay the ransom in the Hollywood hospital hack.

Analysis of Situation

There are security professionals on both sides of the fence on whether the ransom should have been paid in the Hollywood hospital hack (or any other ransom attempt).  From a business actuarial perspective I agree with their decision to pay the ransom.  Here is why:  This is conjecture, but I’m guessing their decision was guided by several basic assumptions:

  1. As a medical center the first and foremost mission is to ensure the safety of the patients and those under their care.
  2. It is both costly and dangerous to transport patients to other medical institutions (in spite of the fact that they had to do this).
  3. If the computer systems are inoperable for more than one day patients in critical care must be transported to other medical institutions.
  4. The medical center is a business, and must be operationally functional in order to be financially successful.
  5. The operational costs of the medical center for one day exceed the ransom by some amount X.
  6. The medical center’s security is inadequate to repel this attack.
  7. Restoring the infrastructure will take longer than one day.

These assumptions enable the business to perform a basic cost/benefit analysis to determine whether they should pay the ransom or restore service via standard IT recovery procedure.  To demonstrate why I say that what they did makes financial sense we can do a quick calculation.  According to item 17 on Becker’s Hospital Review the cost of a for profit bed is $1,629 per day.  Let’s assume that 20% (I don’t actually know the actual number) of their 434 beds were being utilized, so 87 beds.  That means their per day cost is:  $1,629 * 87 = $141,723.  Now, if we add in the cost of an $800 ambulance ride for 10 patients (while it was reported that some patients were moved the number wasn’t specified) that must be moved after one day: 10 * $800 + $141,723 = $149,723.

Note, this calculation doesn’t take into account the cost of administration fees to move the patients, or the negotiations involved in the cost for other medical institutions to accept the patients.  Nor do we make any attempt to a calculate necessary network cleanup or brand reputation damage.  Finally, it was claimed that care was not disrupted for patients (although I find this claim suspect due to the fact that they had to move patients to other medical institutions).  So, we’ll be charitable and say that the Hollywood hospital hack resulted in the reduction of 20% effectiveness to perform their mission, leaving us with the cost of one day at .2 * $149,723 = $29,944.60.  By paying the ransom the medical center would save:  $29,944.60 – $17,000 = $12,944 for the first day alone ($29,944.60 would be added to the cost for each additional day of delay).

Please be aware that the above calculations are simply an exercise (albeit realistic) to determine why it made business sense for them to pay the ransom.  All in all, this was a cheap lesson for them; well, it is if the Office of Civil Rights (OCR) doesn’t ask the Department of Justice to investigate their organization for HIPAA violations.  And, due to the fact that their Electronic Health Records were at significant risk during the compromise I don’t think that an investigation is out of the question.  According to the 2015 Cost of Data Breach Study:  United States by the Ponemon Institute the cost per capita for a healthcare record breach in 2015 was $398.  Let’s say that we later discover that 10,000 patient records were breached.  The Hollywood hospital hack could cost the organization up to 10,000 * $398 = $3,980,000.  You read that right; it could cost them up to $3.9 million dollars.  Let me be clear:  no one has said that any records have been breached, but if a breach in records is discovered through forensic study then this situation could turn very nasty for the medical center.

But wait, I said that all in all paying the ransom was a cheap lesson.  $3.9 million definitely doesn’t sound like a cheap lesson.  Here’s why I said it’s cheap:  so far as the only costs we know the medical center has suffered have been the following (not limited to):  ransom, costs associated with transporting patients, forensic recovery experts from a security firm, cost of lost effectiveness, cost of having to turn patients away during the outage, the cost of remediating the infiltrated infrastructure, and brand reputation damage.  Yes, that number is easily going to be north of $80,000 in total, but it’s a heck of a lot better than $3.9 million if the records weren’t breached.

The Important Lessons Learned

Okay, so we now understand why the lesson was cheap, but what was the lesson?  What should they have learned during this experience?  I would suggest that they and every other healthcare organization should begin by recognizing the fact that they must take security seriously and readily allocate more than an adequate budget to cover their needs.  The hospital’s security must be prevalent in every aspect of the organization.  The reason is simple:  the electronic equipment in a hospital is responsible for keeping patients alive, and yet the standards to protect hospital networks are infantile in comparison to the standards protecting simple credit card data theft.

The security issue becomes terrifying once you realize that many life support systems are built on Microsoft Windows or Linux, and both of those two operating systems are the largest malware targets.  An attacker doesn’t have to be intentionally attempting to harm someone like in the show Homeland where the attackers targeted the Vice President’s pacemaker.  Instead, malware and viruses simply need to do what they do best:  infect entire networks, move laterally, and render the user’s computer unusable.

Except, in this case, the user’s computer could be a blood transfusion device or an IV infusion pump.  No one would be the wiser until a nurse or doctor visually inspected and confirmed that the equipment was or wasn’t working exactly as expected.  Here’s another possibility:  the malware infects the IV infusion pump and the monitoring station and simultaneously locks them.  A patient could very possibly die during the time it takes to resolve the malware issue.

There are many more cases where viruses, malware, and ransomware could do catastrophic damage to patients and yet no one would be the wiser.  According to the Online Trust Alliance (OTA) over 90% of data breaches could been easily prevented.  So, how can you minimize the bulls eye on your organization?  Begin with a Security Assessment; not a HIPAA assessment.  HIPAA assessments help you check boxes and pass muster with auditors; Security Assessments take a holistic view of your organization’s security posture.  I recommend that a third party performs the Assessment simply because they look at your organization with fresh eyes, and they will definitely see things to which the internal staff is blind.

Next, realize that operationally the traditional IT security paradigm won’t protect you.  I won’t go into depth on these as each on their own could be multiple multipage articles.  Here are the highlights:  Antivirus, perimeter firewalls, and sacrificing chickens DO NOT PROTECT YOUR INFRASTRUCTURE! You need to move to application white-listing, malware hunting, unified firewall orchestration, IDS/IPS, and SIEM to watch everything going on in your network.  I would argue these newer approaches are fundamental to IT security, but they are not all encompassing.  There are many solutions that provide these types of functionality, and each solution has its pros and cons.  It’s important to weigh those pros and cons carefully, and if your staff doesn’t have direct experience working with those types of technologies find a solution provider who can help you.

The Hollywood hospital hack was just the tip of the iceberg.  I hope it serves as a wakeup call to the medical industry that what happened was simply an inconvenience.  Furthermore, losing patient medical records isn’t good either, but it’s nothing compared to the fact that at some point in the next year or two patient lives will be held for ransom.  Sadly, the hacker on the other side of the world probably will not realize that they are potentially harming or killing innocent people by their actions.  They’ll just know that they’ve had another successful day of collecting Bitcoins, and then will proceed to build even more dangerous malware variants.  Remember, it’s nothing personal; it’s just business.

Protect your healthcare organization by contacting Cybriant, your competent security solution provider.