Hollywood Presbyterian Medical Center recently paid a ransom of $17,000 in bitcoin to hackers, according to the LA Times. The hackers used malware to infect the institution’s computers, preventing hospital staff from being able to communicate from those devices.
The hospital’s CEO said they paid the ransom “in the best interest of restoring normal operations”. From a business perspective, this decision was a no brainer. $17,000 is a drop in the bucket for a hospital, with annual patient revenue near $1 billion, looking to resume operations. But from a long-term security perspective, paying the ransom sets a dangerous precedent. Just look what happened with piracy in the Horn of Africa.
Somali pirate attacks against international maritime shipping routes reached fever pitch in 2010, both in terms of the raw numbers of attacks as well as the ransoms paid to free cargo ships: 47 hijackings and 200 attempts, ~$100 million total ransoms paid
Compare that to just five years earlier, when there were virtually no ransoms paid. It should be noted that at the time most of these ships were largely unprotected and international efforts to stem piracy were lacking.
As pirates saw shipping executives’ willingness to pay ransoms, they saw the ROI and became bolder, demanding larger and larger ransoms. And the shipping companies usually paid these ransoms after months of negotiation. It was a good time to be a pirate.
While $17,000 doesn’t sound like a lot of money in healthcare’s $3 trillion industry, that number will grow as other hackers, and organized crime, catch on to the opportunity, much as the pirates did in Somalia.
But a funny thing started to happen with somali piracy around 2011. The attacks and hijackings ended.
The shipping industry, along with a coalition of foreign governments, decided they had enough and implemented a multi-faceted plan to combat piracy:
- The shipping industry started defending its cargo ships with armed guards and high-pressure water cannons to deter pirates
- International naval fleets stepped up patrols in high-risk shipping lanes
- Pirates faced harsh repercussions for hijacking (including death by U.S. Navy seals)
Essentially, the shipping industry quickly learned how to remove pirates’ incentive to hijack its ships by making it more costly and dangerous to do so. In business parlay, hijacking off the Horn of Africa stopped being a profitable and attractive venture.
What is the healthcare industry doing to deter hackers from hijacking its systems for ransom?
Not enough. Healthcare is notorious for being behind-the-curve on cybersecurity measures, despite the surge in attacks. A 2015 HIMSS cybersecurity survey found that ⅔ of respondents had experienced a significant attack in the past. And over ⅓ of Americans have had their personal health information compromised, according to HHS reporting.
What can healthcare do to protect itself from the future trend of hijacking and ransoms? Take a lesson from the shipping industry:
- Implement modern cybersecurity practices like multifactor authentication, or better employee training programs
- Partner with law enforcement to help detect and catch cybercriminals through organizations like the FBI’s Infragard
- Ask the government to update its wildly outdated health data security laws (HIPAA’s security rules were written in 2005, for example).
Until it takes security more seriously, healthcare will remain like a big, unprotected cargo ship in dangerous waters full of pirates.