Thursday, February 18, 2016

Hollywood Presbyterian Medical Center: Negligent hospital IT leaders allow hacker invasion that cripples EHRs, disrupts clinicians ... but patient safety and confidentiality not compromised

To the cybernetic idealists out there who think computers are the greatest thing next to sliced bread in the healthcare environment, I say, pray you are not on the operating table when something like this happens:

Hackers’ Ransom Attack On California Hospital More Proof Healthcare Cybersecurity Is Floundering
International Business Times
Jeff Stone

Who would have thought that, for healthcare professionals, performing surgery, working long hours and navigating the dense world of U.S. health law would be easier than protecting hospital computer networks? That, however, appears to be the case after yet another hospital was victimized in a cyberattack. It’s just the latest example of a U.S. medical provider on the wrong end of a digital assault made possible by a lack of security measures.

I, for one, would have thought that.  In fact, I've been writing about these issues for years (see my many posts at query links and

Doctors at Hollywood Presbyterian Medical Center, in southern California, have been suffering serious computer issues for at least a week, the CEO announced Sunday. Doctors have been unable to digitally access patients’ medical records, staff has been communicating via fax machines and patients have reported long delays in receiving care. It’s all the result of a cyberattack carried out by unknown hackers who are demanding 9,000 bitcoins (roughly $3.4 million) to restore the system to normal.

Ransom for access to EHRs.  The hospital's IT leadership should be held accountable for this invasion of the clinic by cybercriminals.  It's not like the issue is unknown:

... “Hospitals are a veritable bullseye for hackers,” said Grayson Milbourne, security intelligence director at the cybersecurity company Webroot, which works with a number of hospitals and healthcare companies. Milbourne added that the value of patient records is an irresistible target for cybercriminals. “For starters, [hospitals] run on a tight budget and their IT infrastructure is often a very low priority when compared to affording new medical devices and staff. 

More from at

... According to NBC, the damage has caused the hospital to be unable to continue day-to-day operations. To keep up activity at the medical center, the staff has turned to manual documentation using pen and paper to take down patient information and jammed fax lines and telephones to communicate from one department to another. The administration has forbidden the use of other computers for fear that the harmful software could spread to more workstations.  Allen Stefanek, President and CEO of the hospital, says that "significant IT issues" began to emerge last week, leading to a declaration of "internal emergency." He also mentions that the attack was random, not malicious, noting that the emergency rooms have been "sporadically impacted since Friday."

The realities of IT in 2016, when hospitals are increasingly dependent on IT command-and-control systems through which every transaction of care must pass, lead to the conclusion that "IT infrastructure is often a very low priority" reflects negligence.

Back to the IBT article.  The CEO at this hospital proffers the usual BS:

Hollywood Presbyterian’s CEO [Allen Stefanek] told NBC, “Patient privacy has not been compromised."  ...The intrusion  has been described as a ransomware attack, which is typically defined as an attack that involves a hacker infiltrating a victim’s computer, and encrypting their data until the victim agrees to pay a bitcoin ransom. The hospital denies any patient data has been compromised.

Right.  Hackers take control of information systems, but patient data has neither been altered, nor its privacy impaired.

From the second article:

... the patients are not safe from harm. Stefanek insists that the incident has no impact on the overall care for the patients, but some have spoken out to say otherwise. Jackie Mendez and her 87-year-old mother say that they have to drive to Palmdale to pick up medical tests, which takes them over one hour to do so. "It's bad. She's an older person. It's not right she has to do this," she says. Another patient named Belmont West is also affected by the incident. Belmont says he went to the hospital to get his grandmother's medical test results to no avail.

and there's this:

... some patients had to be transferred to other hospitals, as some of the medical equipment that need computers at the Hollywood Presbyterian Medical Center were rendered inoperable, including apparatuses for X-ray and CT scans, documentation and pharmacy and lab work.

These ridiculous executive canned lines, including "the incident has no impact on the overall care for the patients" a.k.a. "patient safety had not been compromised" (see query link, are increasingly absurd, non-credible, and tiring.

The urgency [for hospitals to meet standards of care for IT security -ed.] is growing. One in three Americans had their health records breached in 2015, according to multiple reports released last month. Many of those records were breached as part of the nation-state hacks on health insurers Anthem and Primera, though experts predict hospitals will become more attractive targets as they begin to rely on insulin pumps, intravenous flows and other machines that are connected to the Internet.

I note that if hospitals cannot afford the required diligence, they need to get out of the IT business.  Paper cannot be hacked or held for ransom en masse.

In the end, the hospital appeased the hackers:

Hospital paid 17K ransom to hackers of its computer network
Associated Press
Feb. 17, 2016 11:44 PM EST

LOS ANGELES (AP) — A Los Angeles hospital paid a ransom of about $17,000 to hackers who infiltrated and disabled its computer network because paying was in the best interest of the hospital and the most efficient way to solve the problem, the medical center's chief executive said Wednesday.  Hollywood Presbyterian Medical Center paid the demanded ransom of 40 bitcoins — currently worth $16,664 dollars — after the network infiltration that began Feb. 5, CEO Allen Stefanek said in a statement. ... "The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key," Stefanek said. "In the best interest of restoring normal operations, we did this."

They got off cheap for their negligence, relative to the initial demands.

Questions remain, however:

  • Was any patient data altered or corrupted, either deliberately or as a result of the hack?
  • Was any patient data copied or stolen?
  • Was any malicious code left behind by the hackers on any computer on the network, e.g., "back doors" or other malware that could cause future problems?  Put another way, after paying the ransom, does the hospital believe it is dealing with 'honorable criminals'?
  • One might presume the hospital, in an abundance of caution, is now paying after-the-fact for the expertise required to fully assure the integrity of its networks, computers and EHR and other business systems, but is this truly the case?
  • Were any patients harmed as a result of the disruptions to information flows, and of so, are the IT leaders in part liable? 
  • Will any patients suffer harm moving forward as a result of lost computer information during the episode, incomplete backloads of data on the paper that was resorted to during the crisis, or other factors?  Medical errors due to lost data can propagate forward in time, as I can attest to both personally and professionally.

It is my belief that, until and unless hospital leadership is held fully accountable for incidents such as this, such incidents will be one of many more moving forward.

Incidents like this are made more tragic by the increasing evidence that the benefits from healthcare cybernetics are not exactly what the zealots, pundits and industry opportunists advertised.

-- SS

1 comment:

Ben Cooper said...

This is a bad sign that there is lacking in security on medical records of patients here. Those records are private and hackers can use them for their own bad interest. We all know when we turn back in manual documentation, the services will slow down and many patients are waiting for their turn. They should be ready with hardware data just in-case this could happen, sadly it's happening.