Cyberattacks on Hospitals: How Ransomware and Bitcoin Threaten America’s Health Providers

EDITOR’S NOTE: On Tuesday of this week, news media organizations were reporting that U.S. intelligence officials delivered a report to both President Barack Obama and President-Elect Donald Trump outlining allegations that the Russians could have compromising information on him. The news came on the heels of a report on Russian hacking of email servers of the Democratic National Committee in the run-up to the presidential election, in what many are viewing as cyberwarfare.

It’s a nightmare scenario for any hospital: suddenly, all computer screens are stuck on a warning message indicating that “all of your data has been encrypted. In order to unlock access to your system, you must pay $250,000 in Bitcoin.” 

Immediately, the entire hospital is plunged into a crisis. It is impossible for staff to look up patient conditions or determine what treatments are required. Lives of patients are threatened. The IT group has no idea what to do. This is the threat of so-called “ransomware” – valuable data being kidnapped until a ransom is paid. 

Why do cyber-extortionists use Bitcoin? And what is Bitcoin?

It’s a cryptocurrency, or decentralized digital currency. It relies on a peer-to-peer system, which means there is no central point of control. It is open source software, so no company owns or controls Bitcoin. There is no intermediary for moving the currency from one party to another, no records, no taxes to pay, and no way to identify the party receiving the payment.

All Bitcoin transactions are recorded in a giant ledger that is distributed from one network node to another. This ledger is called the “blockchain.” There are Bitcoin ATMs. The amount of Bitcoin currently in circulation is worth well over $10 billion. In 2015, the British bank Barclays announced it will accept Bitcoin. The price changes, but in November 2015, one Bitcoin was the equivalent of around $500. But again, there is no central repository, like a central bank (Federal Reserve), and no one controls the currency supply. 

Bitcoin is a viable currency, and it is accepted for payment by many vendors. But it also is a favorite of criminals because there is no record of its use or transfer, no tracking, and of course, again, no taxes. According to the FBI, “criminals prefer Bitcoin because it’s easy to use, fast, publicly available, decentralized, and provides a sense of heightened security/anonymity.”

Ransomware

Ransomware, or “cyber extortion,” is said to have originated in Eastern Europe in 2005. The scourge of ransomware is spreading rapidly. In the United States, attacks are expected to top $1 billion in 2016. But these estimates probably ignore the vast majority of ransomware attacks that never are reported. According to the FBI, a typical ransomware payment is between $200 and $10,000. By early 2016, there were more than 4,000 reported ransomware attacks. The current rate is around 3,000 attacks per day. It is big business.

The names of ransomware programs read like a twisted hacker’s nightmare: CryptoWall, CTB-Locker, TeslkaCrypt, Samoas (SAMSAM), Locky (very popular), Conflickeer work, Chanitor, Nivdort bot, HummingBad, Triada, Ztorg, GameOverZeus, etc. The Android OS is particularly vulnerable. There are a few groups of cyber extortionists known for exploiting ransomware. These include the so-called Cyber Caliphate Army (CCA) and the Brazil-based TeamXRat. But there is need to worry about these specific groups, because you will never know who hit you. Table 1 summarizes a few of recent ransomware attacks against hospitals.

Table 1 — Examples of 2016 Ransomware Attacks on Hospitals

 

Hospital

Date

Incident

Keck Hospital (University of Southern California)

Aug. 1, 2016

Attack was contained and isolated. No ransom paid. Electronic medical record system not attacked. Operational documents were target.

Norris Hospital (University of Southern California)

Hollywood Presbyterian Medical Center, California

Feb. 15, 2016

$3.4 million demanded. Information systems were offline for a week.  Paid out $17,000. Malware introduced with phishing attack.

Marin General Hospital

July. 11-26, 2016

Ransom paid. Nine medical centers affected. Vital signs, limited clinical history, documentation of physical examinations, and all records between patients and their physicians were lost.

Hugh Chatham Memorial Hospital

Sept. 25, 2016

Ransomware attack failed. Hospital able to recover from backup.

MedStar Health (Columbia, Md.)

March 28, 2016

$19,000 demanded. Hospital refused to pay. Forced to revert to paper system during outage. Patient numbers reduced at its 10 hospitals and 250 outpatient centers.

Prime Healthcare (Desert Valley Hospital, Chino Valley Medical Center, Alvarado Hospital Medical Center)

Jan. 20, 2016

Systems down for several days. Hospitals were able to recover without paying.

Rainbow Children’s Clinic

August 2016

Lost patients’ names, addresses, dates of birth, Social Security numbers, medical information, payment guarantors. Payment not reported.`

Methodist Hospital (Henderson, Ky.)

March 25, 2016

Reported payment of $17,000 or much more.

Source: Barraclough NY LLC analysis.

How Hospitals Can Protect Against Ransomware 

Unlike financial institutions, hospitals in general do not have a great degree of experience in handling computer emergencies. Even though healthcare represents a large part of the economy, spending on cybersecurity is less than 10 percent of overall security spending. In other words, the healthcare sector is under-investing in security. And this needs to change. 

There are a number of steps hospitals can take to improve their defenses against ransomware. Any hospital might start with a ransomware audit. This audit would aim at developing a strategy or “playbook” to improve network security, help educate healthcare employees on good security practices, put in place a computer recovery plan, and develop a protocol to handle emergencies. A few options to consider are summarized in Table 2. 

Table 2 — Barraclough’s Best Practices for Hospitals Facing the Threat of Ransomware

Internal Audit.
Hire specialists to perform a ransomware audit. Must include a) IT infrastructure; b) contingency planning; and c) legal and regulatory response.

Put up Walls.
Isolate systems so they may not “infect” each other. For example, separate electronic medical records from personnel or other administrative systems.

No Internet Email.
Cut off email access to the outside Internet, or use only secure Web-based email not open to the Internet.

Notification Procedures.

Have in place a notification procedure in case patient records are compromised. This includes having a legal team on standby.

The Playbook.

Create a “crisis playbook” that defines key roles and activities in case of a ransomware incident. Rehearse this playbook in a live simulation every two months.

Mirror IT System.
Operate a parallel IT infrastructure that mirrors your current system. Have “hot switching” procedures in place to use the alternative system in case the primary system fails. Rehearse this changeover at least once every two months.

Have Paper Backup Available.
Know how to operate in manual mode. Build the capability to work in manual (paper-based) mode for at least seven days. Have computer-readable forms ready and make such each person is training in this contingency.

Law Enforcement Liaison.

Have pre-arranged contacts with law enforcement, both state and federal. Establish single point of contact in your institution. Ensure these persons know the law enforcement contacts on a professional basis.

Evidence Logging.

Train IT professionals and others to keep an “evidence log” so that all information regarding the ransomware crime is logged. Avoid erasing evidence when you restore your system.

Universal IT Security Training.

Institute IT security training for every single employee. Use online training. Build successful IT training into annual performance reviews to ensure everyone is trained.

Source: Barraclough NY LLC. This table: © 2016, Barraclough NY LLC, All Rights Reserved. For more information on ransomware audits, see http://www.barracloughllc.com

It is important to note that ransomware is not only an IT issue. There are important legal considerations. For example, if patient records are compromised, the healthcare provider must make notification. And this means that as many as tens of thousands of persons must be contacted, and in a timely manner.

No matter what measures a hospital takes against cyber-extortionists, the reality is that it is impossible to have 100-percent reliable protection against hackers. But there is much that can be done to a) lower the chances of being hacked; and b) ensure that if a ransomware incident takes place, it can be dealt with expeditiously and with the least harmful disruption to what is really important: helping patients.

Program Note 

RACmonitor presents a live webcast, “Protect Your Facility from Cyberattacks: Learn from Real World Examples,” Tuesday, Jan. 17, 1:30 p.m. ET

 

Facebook
Twitter
LinkedIn

Edward M. Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

I050825

Mastering ICD-10-CM Coding for Diabetes and it’s Complications: Avoiding Denials & Ensuring Compliance

Struggling with ICD-10-CM coding for diabetes and complications? This expert-led webcast clarifies complex combination codes, documentation gaps, and sequencing rules to reduce denials and ensure compliance. Dr. Angela Comfort will provide actionable strategies to accurately link diabetes to complications, improve provider documentation, and optimize reimbursement—helping coders, CDI specialists, and HIM leaders minimize audit risks and strengthen revenue integrity. Don’t miss this chance to master diabetes coding with real-world case studies, key takeaways, and live Q&A!

May 8, 2025

Trending News

Featured Webcasts

Navigating the 3-Day & 1-Day Payment Window: Compliance, Billing, and Revenue Protection

Navigating the 3-Day & 1-Day Payment Window: Compliance, Billing, and Revenue Protection

Struggling with CMS’s 3-Day Payment Window? Join compliance expert Michael G. Calahan, PA, MBA, CCO, to master billing restrictions for pre-admission and inter-facility services. Learn how to avoid audit risks, optimize revenue cycle workflows, and ensure compliance across departments. Critical for C-suite leaders, providers, coders, revenue cycle teams, and compliance teams—this webcast delivers actionable strategies to protect reimbursements and meet federal regulations.

May 15, 2025
Audit-Proof Your Wound Care Procedures: Expert Insights on Compliance and Risk Mitigation

Audit-Proof Your Wound Care Procedures: Expert Insights on Compliance and Risk Mitigation

Providers face increasing Medicare audits when using skin substitute grafts, leaving many unprepared for claim denials and financial liabilities. Join veteran healthcare attorney Andrew B. Wachler, Esq., in this essential webcast and master the Medicare audit process, learn best practices for compliant billing and documentation, and mitigate fraud and abuse risks. With actionable insights and a live Q&A session, you’ll gain the tools to defend your practice and ensure compliance in this rapidly evolving landscape.

April 17, 2025
Utilization Review Essentials: What Every Professional Needs to Know About Medicare

Utilization Review Essentials: What Every Professional Needs to Know About Medicare

Dr. Ronald Hirsch dives into the basics of Medicare for clinicians to be successful as utilization review professionals. He’ll break down what Medicare does and doesn’t pay for, what services it provides and how hospitals get paid for providing those services – including both inpatient and outpatient. Learn how claims are prepared and how much patients must pay for their care. By attending our webcast, you will gain a new understanding of these issues and be better equipped to talk to patients, to their medical staff, and to their administrative team.

March 20, 2025

Rethinking Observation Metrics: Standardizing Data for Better Outcomes

Hospitals face growing challenges in measuring observation metrics due to inconsistencies in classification, payer policies, and benchmarking practices. Join Tiffany Ferguson, LMSW, CMAC, ACM, and Anuja Mohla, DO, FACP, MBA, ACPA-C, CHCQM-PHYADV as they provide critical insights into refining observation metrics. This webcast will address key issues affecting observation data integrity and offer strategies for improving consistency in reporting. You will learn how to define meaningful metrics, clarify commonly misinterpreted terms, and apply best practices for benchmarking, and gain actionable strategies to enhance observation data reliability, mitigate financial risk, and drive better decision-making.

February 25, 2025

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24