After the Hollywood Presbyterian hospital hack, how much of a threat are ransom-driven cyber attacks?

Science Friday
Hollywood Presbyterian Medical Center

The Hollywood Presbyterian Medical Center is pictured in Los Angeles, California February 16, 2016. The FBI is investigating a cyber attack that crippled the electronic database at Hollywood Presbyterian Medical Center for days.

Mario Anzuoni/Reuters

On February 5, staff at Hollywood Presbyterian Medical Center discovered they were in the middle of an attack. Certain computer systems had been invaded by malware, encrypted, and taken for ransom. The price? Forty bitcoins, or $17,000 dollars, for a key to decrypt the system. 

The hospital paid the ransom because it was, as they put it, “in the best interest of restoring normal operations."

Martin Fisher, the information security manager for a hospital system in Georgia says we haven't seen the last of these cyber criminals. 

“These guys will definitely try it again with other people. I'm sure they're trying it with the thousands of other potential victims,” Fisher says. “My professional information security opinion is I hate the fact that people pay ransom. As a person who's also in the health care industry and is interested in making sure systems come up quickly so we can serve patients effectively and not have patient safety issues, I totally understand why they made that choice.”

According to Fisher, ransomware and cyber hacks have become a huge security issue. 

Liviu Arsene, a senior e-threat analyst at Bitdefender in Bucharest, Romania, says the proliferation of ransomware kits has made this type of cyber crime particularly attractive. 

“You'd be surprised to find out how easy it is to buy yourself a ransomware kit,” Arsene says. “It used to be as high as $3,000. I think you can just buy your own ransomware kit and start delivering it to hundreds, potentially actually thousands of victims and make potentially hundreds of thousands of dollars in return. So [with] the $3,000 investment you can end up making hundreds of thousands of dollars.”

Arsene reminds people to only open links and attachments in emails from people they recognize. He also advises using caution when browsing the web to avoid so-called “drive-by attacks.”

“For the business sector, however, that's an entirely different story,” Arsene says. “You can have your IT administrator or your security team set up different layers of securities that can prevent this type of threat from actually reaching an employee's computer, or at least executing on an employee's computer.”

The HIPPA Security Rule, which establishes national standards to protect individuals/electronic information, requires hospitals to back up data, but Fisher says that even hospitals who follow the rules may still be in danger. 

“Hospitals do the best they can,” Fisher says. “But, you know, with all the varied systems that hospitals have — and some of them are old, some of them are new — doing backups is hard. And sometimes IT systems don’t act the way they should. And the cost and the time it'll take and even if they had a a robust backup program it may have actually been easier and cheaper to pay the $17,000.”

Cyber attacks, according to Fisher, are the new reality, and they may become even more of a problem.

“A lot of what's happening from the cybercrime side is organized crime,” Fisher says. “This is very similar to the to the guy who, you know, pulled you in an alley and said, you know, ‘$5 or I'm going to beat you up.’ It may get to that point. We're not seeing that now, because really it's a fire and forget thing for the adversary. They send out spam e-mails, someone clicks on it. They’re not sure who will, but when it does the malware phones home and says ‘Hey! I just encrypted all the stuff. Here is the key I created.’ And then they engage in a dialogue with the victim to see if they can extract the money.”

This article is based on an interview that aired on PRI's Science Friday.