Carl Wright, general manager and executive vice president of worldwide sales at cybersecurity firm TrapX Security, Inc., has seen and worked to foil a lot of hacks in previous stints as a U.S. military chief information security officer and defense information officer.
But this week’s Hollywood hospital attack stands out, he said.
Wright told SearchHealthIT that the apparently unprecedented ransom amount (about $3.6 million in the digital currency bitcoin) that the hackers are audaciously demanding from Hollywood Presbyterian Medical Center flows from an axiom of cyberhacking and warfare itself: go for the big hit.
Cyber-attackers such as those behind this ransomware attack, which disabled much of the Los Angeles hospital’s data network after an employee apparently opened an email containing malware, are usually either perpetrated by criminals or foreign states. In this case they appear to be criminals, Wright said.
“As such, they’re entrepreneurs, though a bad kind of entrepreneur,” he said. “But when you’re an entrepreneur and you focus on profitability, you focus on high-value targets, and this makes sense when you see what happened in Hollywood.”
In other words, this hospital is located in one of the country’s most affluent zip codes. Los Angeles has also been hit by thefts (PHI), but that seems not to be the case with this incident, Wright noted.
Typical ransomware attacks on health IT targets have been accompanied by much lower demands, in the $500 range, which victims generally pay to get their data unlocked.
But Wright drew an analogy in this case to the practice of Somali pirates, who typically take a ship’s crew and cargo hostages, then wrangle steep payouts from the shipping company’s insurer.
He said we may not know right now whether the FBI and law enforcement are telling the Hollywood hospital not to pay, or if some kind of payment is being negotiated behind the scenes.
Meanwhile, Wright and other cybersecurity experts have noted a sharp uptick in recent years in cyberattacks on health IT systems because of the high value of PHI, which generally contains more valuable and long-lived personal information than credit card accounts, which can be easily frozen.
A May 2015 TrapX report on healthcare cyberhacks presented three detailed case histories of recent attacks on connected medical devices in which attackers gained access to the hospitals’ main computer systems.
The devices included X-ray equipment, picture archiving and communication systems (PACS) and blood gas analyzers, TrapX reported.
One distressing insight to be gained from all this is “healthcare is at least five years behind” other industries in terms of its data security preparedness, Wright said.