How could a computer hack take down an entire hospital? – 89.3 KPCC
Hackers have taken a hospital in Los Angeles hostage, and they say the only cure is to fork over more than $3.4 million.
The computer network at Hollywood Presbyterian Medical Center has been shut down since last week, a victim of a nasty infection known as ransomware. With computers offline, some patients had to transfer to other hospitals. Certain procedures like CT scans couldn’t be done and people’s personal medical records were affected, too.
Brian Barrett wrote about the incident for Wired magazine. He spoke to Take Two about how a computer hack could take down an entire hospital. Here are the highlights.
It’s had a lot more public instances lately, but ransomware has been around for about 10 years. Recently though, it’s been more high profile because it’s evolved. What happens is any other malware that might take over your computer if you click on a suspicious link, except this time when you click on it, it will block you from accessing your computer. And instead, you’ll see a message that says, “Pay this amount, and then I’ll let you get back in.”
What appears to have happened in this case, although the hospital has not released any details, is that a new twist is that they’re encrypting all the information on your computer. So that not only can you not access it, you run the risk of never being able to get to it again unless you pay up. And you get a key to get the information back.
Do we know who initiated this particular attack?
We don’t. And there’s every chance that we may never. The payment systems are through bitcoins, so the screen will show up and say, “Pay us this much bitcoin” — in this case 9,000, which is about $3.5 million. And those payments end up going to anonymous digital wallets so you never really find out who’s behind it. There are dozens of people who are using ransomware today — organized groups, individuals. It’s really hard to track them down.
How did they get to this hospital?
Of the little information [the hospital has] given out, they did say it appeared to be a random act. And what happens is, these hackers will put a wide sweep of links in malicious places for people to click, [like] in emails. They basically go phishing.
There’s every chance that someone from the hospital just happened to click on the wrong email link and then the hackers found out what they had. And as for this exorbitant sum, a lot of the times when you see these attacks it will be a few hundred dollars here and there. The FBI has even said in the past, “Go ahead and pay it. It’s not worth it.”
In this case, they’re not. I think because it’s such a large amount of money. But yeah, it looks as though someone at the hospital was just unfortunate enough to click the wrong link at the wrong time.
Hospitals are frequently targeted by hackers partly because they have such sensitive information and they have access to a lot of personal records. It’s not clear that this is the case though.
We did reach out to Hollywood Presbyterian but they didn’t return our call for comment. But they do have an outgoing voice message that says they’ll have a statement later today. Is there a way to break the hack without having to pay the ransom?
That’s what they’re working with the FBI and LAPD on right now. It’s very difficult though, especially when if it’s the case where — again we don’t know for sure — but if it is the case where the hackers have encrypted all the information then they have a digital key that can unlock it. And without that key, it can be very, very difficult to access that information again.
So you know it is hypothetically impossible. They’re going to have a hard time doing it, and they probably need to track down the people who perpetrated this in order to have access.
Why ask for the ransom in bitcoin?
Bitcoin is anonymous. It’s called a cryptocurrency. It’s very popular among all sorts of people, hackers or not. But it’s untraceable basically. The payment would go to a digital wallet that was anonymous. There’s no way to find out whose it is. So that’s really the preferred method for this instances. It’s sort of the Swiss bank account of the Internet.
The idea of regulating bitcoin is something that gets tossed around here and there. It’s also partly the fact that it’s so decentralized. It’s hard to regulate in that way too. But I think it’s one of those situations where anytime you have an anonymous system or a decentralized system, you’re going to have benefits and then people who take advantage of that situation.
Should we be worried?
If anything, those alarm bells should probably already have gone off. So if this raises more awareness of this as an issue, that’s great. And the good news is protecting yourself against ransom, where really it isn’t that different from protecting yourself against any other kind of malware.
You’ve got to make sure that software is up to date with all the security patches from, whether it’s Apple or Microsoft, or whoever. Don’t click on links that you don’t trust. Don’t go to sites that you don’t trust. And that’s as true on your phone as it is on your laptop or desktop. If you do find yourself in this situation, certainly report it to the authorities. But know that you may end up having to pay.