Ransomware Wreaking Havoc in American and Canadian Hospitals

Hollywood Presbyterian Medical Center
The Hollywood Presbyterian Medical Center, which was the first known hospital in the United States targeted with a ransomware attack, Los Angeles, February 16. REUTERS/Mario Anzuoni

Last month, the Hollywood Presbyterian Medical Center in Los Angeles declared a state of emergency when hackers took its data hostage. The two-week standoff ultimately ended with the institution paying a $17,000 ransom. But for other hospitals in the United States and Canada, the troubles were just beginning.

In the past two weeks, ransomware viruses have placed two other hospitals—one in Kentucky and one in Ottawa, Ontario—under siege. Ransomware is a form of malicious code that blocks owners from their own data by encrypting them with a key solely belonging to the hackers and deleting its original copies. The Kentucky attack is ongoing, while the one in Ottawa ended without any harm induced or ransom paid.

Another hospital in West Virginia reported a cyberattack reminiscent of ransomware on Tuesday. "I don't have any specific information about whether this was ransomware," Amy Johns, spokeswoman for the Ruby Memorial Hospital in Morgantown, West Virginia, tells Newsweek. "We are working with appropriate authorities to determine the source of today's disruptions."

Ransomware attacks will "wreak havoc on America's critical infrastructure," warns a report from the Institute for Critical Institute Technology (ICIT) , a nonprofit examining the cybersecurity of public and private infrastructure. "Ransomware is less about technological sophistication and more about exploitation of the human element," says the report.

The ransomware attacks at Hollywood Presbyterian Medical Center in Los Angeles, Methodist Hospital in Henderson, Kentucky, and Ottawa Hospital in the Canadian capital had a few commonalities. First and most important, patient information was never compromised in the three attacks. Local reports on the Ruby Memorial attack also note no patient data being stolen.

In most ransomware cases, hackers are looking to disrupt businesses and make easy money rather than re-sell the collected data to cybercriminals. "Reselling data can be highly profitable for cybercriminals, but requires expertise in both selling data, fraudulent activities and/or the ability to sell on the black market. All of these are risky and increase the likelihood of the attacker getting caught," says Tripwire's senior security research engineer, Travis Smith. "Now attackers can make hundreds to thousands of dollars per infection and get paid immediately, instead of going through other risky steps to make a profit."

Another pattern was that, as the name indicates, ransom was asked by the hackers. Ottawa Hospital was able to clean the ransomware off its systems without paying. Methodist Hospital tells Newsweek it has not paid the $1,600 demand—or 4 bitcoins, the cryptocurrency that features frequently in ransomware attacks.

But since the recovery is ongoing, Methodist Hospital may consider paying the ransom as a last resort, the hospital's attorney, James Park, told noted cybersecurity journalist Brian Krebs. "I think it's our position that we're not going to pay it unless we absolutely have to," Park says.

In both the Hollywood Presbyterian Medical Center and Methodist Hospital cases, local FBI offices are investigating the matter. But in the Hollywood hospital case, law enforcement was not called upon until after the hospital paid the ransom, according to The Los Angeles Times.

Newsweek did not hear back from requests for comment from the FBI offices in Los Angeles and Louisville, Kentucky. Hollywood Presbyterian Medical Center declined to answer Newsweek's questions on the attack.

In addition to hospitals, police departments, schools and churches have been targeted in ransomware attacks in February, according to ICIT. The Melrose Police Department in Massachusetts paid 1 bitcoin, or $416, to hackers. Horry County School District in South Carolina paid $8,500. The Community of Christ Church in Hillsboro, Oregon, paid $850.

The best way to protect against ransomware attacks, experts agree, is to have a backup system, whether in a cloud network or some reserve outside of the IT network where hackers can't get to it. Ottawa Hospital was able to recover easily thanks to having backup copies of its data. "We are confident we have appropriate safeguards in place to protect patient information and continue to look for ways to increase security," hospital spokeswoman Kate Eggins told the Ottawa Citizen.