The news made national headlines: Hollywood Presbyterian Medical Center’s computer systems were down for more than a week1 as the Southern California hospital became yet another victim of ransomware—an attack where a business or individual’s computer system is held hostage by cybercriminals until a ransom is paid. Hollywood Presbyterian Medical Center ended up paying $17,000 to restore its systems and administrative functions.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” said Allen Stefanek, president and CEO of the medical center. “In the best interest of restoring normal operations, we did this.”
No healthcare provider wants to be in Mr. Stefanek’s position. Once ransomware is in your medical practice or hospital system, there are only three basic options:
If before the attack you’ve performed incremental backups, you can restore the areas affected, with minimal data loss (for example, an hour). If you have point-in-time backups, you can restore with increased data loss (for example, a week). If you have no reliable backups, you can reset the technology back to its “out-of-box,” or default, state and lose all the data, if no paper records exist. The only other option would be to pay the ransom.
The key to handling any type of attack is to stop the spread once it’s identified. For example, Ottawa Hospital in Canada took the right steps when four of its 9,800 computers were hit by ransomware.2 The hospital was able to find the virus, isolate it before it spread, and wipe the drives clean on the infected computers. The hospital was able to prevent loss of any patient information and avoid paying any ransom because it had saved critical data on servers instead of desktop computers.
Besides loss of business, inconvenience to patients, and damage to reputation, a ransomware attack also poses liability risks. The possibility of adverse events and subsequent claims for professional negligence increases when computerized systems necessary for various functions such as CT scans, documentation, lab work, and pharmacy needs are offline. If hospital systems are down for any significant period of time, certain patients should be transported to other hospitals.
Adverse events can occur when healthcare workers do not have access to EHR systems. However, if this type of case was litigated, the patient would have to prove that something in the records may have had a bearing on the treatment being provided. In the case of emergency care, the claimant would have to successfully argue that the staff should not have undertaken the care until the medical records could be accessed.
Another risk involves theft of patient records during the attack. If patients’ personal information such as social security numbers and addresses are stolen, the physician practice or healthcare facility may be subject to claims for damages due to identity theft. If a HIPAA violation occurs because patients’ healthcare information is compromised, the practice or healthcare facility would face an investigation by the federal government and could face fines.
Hospitals, medical practices, and businesses should take full precautions to prevent a hack that results in ransomware being installed. Prevention strategies include:
Much of the decision to pay or not to pay the ransom is based on the circumstances surrounding the attack, the extent to which all or part of the systems have been compromised, and the degree to which recovery or restoration of the system can be achieved. Any decision must be viewed in light of all of the information and made on a case-by-case basis.
1Dangerous escalation in ransomware attacks. CBS News. February 20, 2016. http://www.cbsnews.com/news/ransomware-hollywood-presbyterian-hospital-hacked-for-ransom/. Accessed March 21, 2016.
2Ottawa Hospital hit with ransomware, information on four computers locked down. National Post. March 13, 2016. http://news.nationalpost.com/news/canada/ottawa-hospital-hit-with-ransomware-information-on-four-computers-locked-down. Accessed March 21, 2016.Craig Musgrave, Senior Vice President, Information Technology, The Doctors Company
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider in light of all circumstances prevailing in the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.