Last week, reports surfaced of a cyber heist on Hollywood Presbyterian Medical Center in Los Angeles, a scenario that would not be out of place on the set of a movie. Hackers took control of the hospital’s IT infrastructure, locking the staff out of their systems using a type of malware called ransomware.
In order to regain access, the hospital had to pay the attackers 40 bitcoins, equivalent to $17,000, in exchange for a decryption key.
Beyond the simple nuisance of hackers withholding system access, there was a real threat to the integrity of valuable patient data and medical records.
The attack caused waves in the cybersecurity community, with some experts speculating on whether attackers will continue to use ransomware in the future. No matter the tools cybercriminals use, many agree that longstanding cybersecurity deficiencies and lack of investment in preventative infrastructure could mean the next attack is just around the corner.
‘Criminals are opportunists’
Even in the most compliant companies, weak passwords and the smallest of vulnerabilities could allow someone to breach a system, said David Makin, a technology, crime and criminal justice assistant professor at Washington State University.
"Criminals are opportunists," Makin said. "They realize there is a vulnerability, a vulnerability that can be exploited and they're going to target it."
To avoid having systems compromised, companies should focus on hardening infrastructure, with redundancies put in place that can withstand attempts at manipulation, experts said. But many companies are still treating investment in IT and infrastructure as an afterthought, only spending money if something is broken and not taking preventative measures.
"If you're a hospital CIO, it's really about hardening your systems to raise the cost so that the hackers go elsewhere for the low-hanging fruit," said Chris Finan, a fellow with the Truman National Security Project, a former Obama administration official and a Silicon Valley tech entrepreneur.
To avoid getting locked out of systems, and to ensure data loss prevention, companies need to focus on data disaster recovery and have another source for their data. Then, if a company gets locked out of their system, they can "wipe" the compromised data and restore data in a clean and protected environment, said Jeff Erramouspe, vice president and general manager of Spanning by EMC, a SaaS data backup and protection provider.
"Until we take information security seriously, we're going to continue to see issues like this," Makin said. "Really, you have to convince executives that their IT department is one of the most crucial when all of their records — all of their business — are digital data."
Ransomware on the rise
Though cybersecurity breaches and report of denial-of-service attacks surface almost every day, this attack on Hollywood Presbyterian may be the first publicized report of a ransomware attack and ensuing payment.
There is no real way of knowing how often something like this happens, especially because if an enterprise detects something, it may handle the issue internally or contract it out to a private company, according to Makin.
Erramouspe said he has worked with companies recovering from the cryptolocker virus in the past, similar to the one used at the hospital. It is becoming more prevalent, Erramouspe said, and with the rise of bitcoin it is easier for hackers to get paid.
"Hackers have discovered that while the data that they steal or have access to may be useful to other people, it's actually most valuable to the people who actually own it," said Erramouspe. Criminals "believe that you can get more money or more value for that from the person that actually owns the data who needs it back."
Personal data is available in so many different places that the value changes on the open market with people competing to sell it, Erramouspe said. But, data is the "lifeblood" of a business, from information on customers to business deals to health records.
"Hackers are too empowered with automation tools. Preventing somebody from getting access, it's impossible," Finan said. "The only real solution is to have enough redundancy and try to protect key enclaves and key databases."
"We would hope that it would sound an alarm to say that IT is something that every company needs to be pursuing very vigorously," Makin said. " Every company, every individual, needs to be thinking about how we secure data."
Why pay the ransom?
Experts can only speculate whether the publicized ransom payment will set a precedent for more enterprising criminals targeting similar kinds of businesses.
Even with paying the ransom, which allowed Hollywood Presbyterian to regain access to its systems, there is no way of knowing, at first glance, what level of access the attackers had in their system or what other accounts were potentially compromised, Makin said.
"You can really only speculate," Makin said, "Without knowing what level of access they had, and the danger to life depending on what they had access to in terms of being able to delete records."
Though a ransom payment may seem like a worst case scenario, the ultimate concern for a company is business continuity, with a focus on getting systems back up and running, Erramouspe said. It is possible that hackers could have put in a backdoor. In an incident like the one at Hollywood Presbyterian, when rebooting systems, bringing networks online in a "completely clean environment" can work to protect a business' information.
"Unfortunately a lot of companies are susceptible to this kind of manipulation, or I should say coercion, and there's probably not a lot to do about it," Finan said.
If criminals continue to use ransomware and other methods of coercion when infiltrating a company’s systems, national resources will likely start to focus on attributing the crimes to the responsible groups.