An internet television program that explores the intersection of medicine and the law.

Top Two Risks a Hospital Faces in a Malware Attack

By Tom Andre, VP of Information Services at Cooperative of American Physicians (CAP) to Risk Management


What You Need to Know: Hospital Ransomware Attacks

Our guest on Healthcare Matters is Tom Andre, VP of Information Services at Cooperative of American Physicians (CAP). In part 2 of our What You Need to Know: Hospital Ransomware Attacks, we ask Mr. Andre to list the top two risks hospitals face when dealing with malware attacks. This information is important in the wake of the numerous hospital attacks occurring all around the country, including the attack on Hollywood Presbyterian Medical Center.

This is only one of the many questions we asked Mr. Andre about cyber security and how healthcare facilities can protect themselves. Check out all of them here:

  1. Explaining the Recent Ransomware Attacks on Hospitals
  2. Top Two Risks a Hospital Faces in a Malware Attack
  3. How Common are Ransomware Attacks on Hospitals?
  4. The Surprising Ways a Hospital can be Infected with Ransomware
  5. Risk Management Tips for Hospitals to Avoid Ransomware Attacks
  6. Should Hospitals Negotiate with Hackers if Hit with Ransomware?
  7. Protecting Patient Data During Hospital Ransomware Attacks
  8. Full Interview with Tom Andre: What You Need to Know: Hospital Ransomware Attacks


Mike Matray: It’s been well documented that stolen electronic medical records sell for ten to twenty times more, on the black market, than stolen credit card numbers.  But the Hollywood Presbyterian Hospital case is different. Rather than selling stolen medical records, the hackers injected malware that restricted the hospital’s access to its computer system, and would only share the decryption key if a ransom of $17,000 was paid. What are the different risks associated when a hospital is blocked from accessing its computer system?

Tom Andre: Well, there’s a handful of risks. One is certainly a reputational risk, which is having to go to the public and say, “Our system has somehow been compromised and we can’t get access to it.” That’s something, I think, any organization is afraid of and is the reason why a lot of times you don’t hear about some of these attacks. But this was something that I think lasted long enough that it got out to the public, and public statements had to be made.

Another is a financial risk. Now $17,000, in the grand scheme of things, may not be a lot to the hospital, but I would look at how much productivity was lost. I believe, from the CEO’s statement on the hospital’s website, they first noticed the infection on Friday, the 5th of February, and their electronic health records systems were back up on the 15th.

So that’s nine to ten days of not being able to access that information. They were relying on paper, they were relying on faxes and phone calls. That would be a productivity hit to the hospital, because all that information that was collected on paper would then have to be back-filled into the hospital system. That’s some of the major risk. And then I think this is kind of a wake up call, in a way, that even though the ransom wasn’t a lot, you have to think about the fact that this is a type of engineered attack that put itself inside the computer network.

Now, all they were after was a ransom for giving the files back, but the same type of mechanism could be used to plant something on to the network and then do what’s called a command and control situation where a remote computer is accessing the internal network with all the same privileges as someone inside, like someone that would have access to medical records. The thing to keep in mind with Ransomware attacks is it is technically a command and control attack, where the malware gets installed on the computer, then it phones home.

It says, “Okay, I’m inside. Now I wanna start encrypting files. Give me an encryption key so I can start doing that.” And they have to do that because they want to use unique encryption keys. Because if they use the same one over and over again for every organization they attack, it would soon be known what the decryption key was, and their “business model” would no longer work.