• United States




Ransomware attacks force hospitals to stitch up networks

May 19, 20164 mins
Backup and RecoveryData BreachNetwork Security

Exploitation of hospitals by cyber criminals should not come as a surprise, particularly as threat actors have demonstrated a penchant for monetizing information of all kinds.  Indeed, as of 2013, according to one news report, cyber criminals were observed increasingly targeting the $3 trillion U.S. healthcare industry. 

Medical data is often seen as more profitable than standard personal identifiable information as it includes such data as policy numbers, diagnosis codes, and billing information, in addition to patient names, addresses, and Social Security numbers. For example, according to one source, stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card numbers.

However, recent activity reveals that these enterprising criminal elements are focusing their efforts against hospitals in particular as soft victims whose cyber security postures can be easily compromised. Whereas prior incidents have focused on gaining surreptitious access in order to steal information, recent incidents demonstrate how criminals are resorting to rendering hospital systems and networks inoperable for extortion purposes by deploying ransomware against their targets. I recently conducted a podcast on this topic for Campus Safety Magazine and contributed to a Ransomware brief created by the Institute for Critical Infrastructure Technology (ICIT).

According to one news source, since first appearing in 2013, 56 types of ransomware have appeared. However, the versions being implemented now are increasingly sophisticated. What’s more, ransomware is an effective tactic largely because the victims pay the ransom, which can yield significant profits for criminals. 

One cyber security vendor reports that ransom demands have been for as much as $50,000. One United Kingdom study found that approximately 40 percent of infected organizations actually paid the ransom for criminals behind the CryptoLocker ransomware. The encryption employed by these actors is so advanced that it prompted at least one Federal Bureau of Investigation agent to recommend just paying the ransom as the easiest course of action for the victim. When officials of the nation’s leading law enforcement entity makes such an admission, it’s little wonder why hostile actors see this malware as an advantageous tool in their criminal arsenals.

Recent events targeting hospitals demonstrate the increasing interest of hostile cyber actors to exploit these information rich institutions using ransomware. Given the importance of these institutions to being able to access and process critical patient information, it’s easy to see why extorting hospitals is an easy crime to commit. Since the beginning of the year, the following incidents have transpired against hospitals:

  • In February 2016, hackers shut down the internal computer system at a Hollywood-area hospital for a ransom of 9,000 bitcoin, or almost $3.7 million, and forcing the facility to revert to paper registrations and medical records and send 911 patients to other area hospitals. The hospital paid $17,000 to the criminals.
  • One month later, two more California hospitals were targeted in ransomware attacks. According to one hospital spokesperson, no patient data was compromised and neither hospital paid the ransom.
  • Also in March 2016, a Kentucky-based hospital fell victim to a ransomware attack, in which administrators declared an internal state of emergency, shutting down all desktop computers and web-based systems in an effort to mitigate the spread of the ransomware. It took five days to mitigate, respond, and recover from the attack without the hospital paying the ransom.
  • In late March 2016, Baltimore’s Union Memorial Hospital was the epicenter of a malware attack upon its parent organization, MedStar. Data at Union Memorial and other MedStar hospitals in Maryland had been encrypted by ransomware spread across the network. Efforts have been slow but successful in getting systems up and running again, although there have been some administrative disruptions.

Despite the various levels of success in these efforts, it does demonstrate that hospitals remain high-profile targets because not only is the data valuable but so is being able to access it. Once ransomware is on the networks, hospitals were forced to resort to finding and using paper copies, fax machines, phones, and any other non-connected devices, while network administrators hastened to get their systems up and running. The result of these activities has made a lasting impact on operations:  in some instances doctors even had to reschedule high-risk surgeries. 

The lessons to be drawn from these recent incidents is the need for hospitals to develop and implement a strong cyber resiliency plan that incorporates incident response as well recovery operations from such attacks. The threat of ransomware demonstrates the need for hospitals, as well as all organizations, to identify critical information and properly store it on backup systems that are independent of the main network. While we can’t necessarily predict when attacks against us will occur, we can always be prepared to respond to them once they do. In this day and age when breaches are an almost everyday occurrence, it is not just a necessity, but a responsibility.


Over the last two decades Brian Contos helped build some of the most successful and disruptive cybersecurity companies in the world. He is a published author and proven business leader.

After getting his start in security with the Defense Information Systems Agency (DISA) and later Bell Labs, Brian began the process of building security startups and taking multiple companies through successful IPOs and acquisitions including: Riptech, ArcSight, Imperva, McAfee and Solera Networks. Brian has worked in over 50 countries across six continents and is a fellow with the Ponemon Institute and ICIT.

The opinions expressed in this blog are those of Brian Contos and do not necessarily represent those of IDG Communications Inc. or its parent, subsidiary or affiliated companies.