The first sign seems innocuous enough if you don’t know what you’re looking at: Files in the computer appear as decrypt.html, or decrypt.txt instead of their usual names.
Then, you click. A box pops up that gives you an ultimatum: Want the file? You’ll have to pay up, and probably in bitcoin.
That is what happened at U.S. hospitals in the past month inCalifornia, Kentucky, Maryland and the District of Columbia. The malware attacks have left the 14 hospitals — 10 of which are part of the MedStar hospital group — unable to access patient data and, in some cases, having to turn patients away.
Hospitals are not alone in their vulnerability; last month, a cafe in Maryland was hit with a ransomware attack. In another instance, Mac computers were targeted. Last year, police in Massachusetts paid hackers to return access to their data. Companies and individuals in the U.S. lost more than $24 million to ransomware in 2015, according to the FBI.
And in February at the Hollywood Presbyterian Medical Center in Los Angeles, administrators paid the asking price of 40 bitcoin, about $16,664 at the time, to regain access to their data. At MedStar, the hospital is being asked to pay 45 bitcoin.
Several MedStar employees saw a message on their computer screens: “You just have 10 days to send us the Bitcoin. After 10 days we will remove your private key and it’s impossible to recover your files.”
“The big difference with health care is that the consequences are greater,” Kevin Fu, an associate professor at the University of Michigan who studies computer security issues in hospitals, told the MIT Technology Review. “You can lose your email and that’s annoying, but patient records are needed in order to treat patients.”
Though bitcoin is not in itself a driver of cybercrime, it allows the hackers to have instant access to the money without its having to go through a bank or credit card. Peter Van Valkenburgh, director of research at Coin Center, a nonprofit dedicated to digital currency advocacy, explains that often the ransomware will include easy-to-follow instructions on how to quickly access and trade bitcoin.
Hospitals hit by the attack felt the pressure of being without patient information. At a MedStar hospital, a patient was given an antibiotic that, a nurse told the Washington Post, “should have been stopped eight hours earlier.” At the Hollywood Presbyterian Medical Center last month, patients were divertedto other hospitals. In both situations, the hospitals returned to paper records.
On its website Thursday, MedStar posted: “MedStar Health’s priority continues to be providing high quality, safe patient care, as we work to fully restore all of our major IT systems. Our doors remain open, with a few exceptions. With the dedication and commitment of our clinicians and associates, we are thankful that we have been able to perform more than 1,000 surgeries since Monday morning’s malicious malware attack.”
Rick Pollack, president and CEO of the American Hospital Association, emphasizes that hospitals should take steps to protect patient data: “Hospital leaders are using the lessons learned in previous attacks and are applying best cybersecurity practices shared by the AHA in an effort to anticipate and respond to existing and emerging threats,” he says.
The FBI is investigating several of these recent attacks. An FBI official tells NPR:
“Companies can prevent and mitigate malware infection by utilizing appropriate backup and malware detection and prevention systems, and training employees to be skeptical of emails, attachments, and websites they don’t recognize. The FBI does not condone payment of ransom, as payment of extortion monies may encourage continued criminal activity, lead to other victimizations, or be used to facilitate serious crimes.”
Hospitals can take a variety of steps to safeguard against these kinds of attacks, like using HTTPS encryption, two-factor authentication and implementing file backups on a separate server. “For hospitals right now, backups of customer data on unconnected machines or machines in other networks is essential,” Van Valkenburgh says.
He adds that patients should have more control over who has access to their personal records, and when. But until then? “We really are at the mercy of these centralized institutions,” he says.