While it was not the first hacked organisation to acquiesce to attackers’ demands, the California hospital that paid $17,000 in ransom to hackers to regain control of its computer system was unusual in one notable way: It went public with the news.
Hollywood Presbyterian Medical Center relented to the demands, President Allen Stefanek said, because he believed it was the “quickest and most efficient way” to free the Los Angeles hospital’s network, which was paralysed for about 10 days. That announcement sparked fears among hospitals and security experts that it would embolden hackers to launch more “ransomware” attacks and calls in California for tougher laws.
“It’s no different than if they took all the patients and held them in one room at gunpoint,” said California State Senator Robert Hertzberg, who on Thursday introduced legislation to make a ransomware attack equivalent to extortion and punishable by up to four years in prison.
Usually embarrassment and a desire to discourage hackers keep attacked companies quiet. Hollywood Presbyterian did not say why it made the disclosure, but its hand may have been forced by spreading rumors a week after the hack. Stefanek confirmed the cyber attack after at least one doctor appeared to have told local media. In addition, he disputed media reports the 434-bed hospital had faced a ransom demand of $3.4 million, far more than the amount paid in the hard-to-trace cyber-currency bitcoin.
In a ransomware attack, hackers infect PCs with malicious software that encrypts valuable files so they are inaccessible, then offer to unlock the data only if the victim pays a ransom. The hack at Hollywood Presbyterian forced doctors to use pen and paper in an age of computerisation. News reports said its fax lines were jammed because normal e-mail communication was unavailable, and some emergency patients had to be diverted to other hospitals.