Hollywood Presbyterian Medical Center paid $17,000 to free computers from ransomware.

Lessons From the Hollywood Hospital That Paid $17,000 to Free Its Computers From Ransomware

Lessons From the Hollywood Hospital That Paid $17,000 to Free Its Computers From Ransomware

The citizen’s guide to the future.
Feb. 18 2016 2:10 PM
FROM SLATE, NEW AMERICA, AND ASU

Sometimes, You Have to Give In to Ransomware

Lessons from the Hollywood hospital that paid $17,000 to free its computer systems.

Hollywood Presbyterian Medical Center.
The Hollywood Presbyterian Medical Center, pictured on Tuesday, got by temporarily using paper registration forms and medical records and communicating via fax.

Mario Anzuoni/Reuters

The electronic medical record was supposed to change everything. Human mistakes would be eliminated by the pharmacy’s ability to automatically check for dangerous drug interactions; hospitals would be able to retrieve data instantly and find out whether they were following best practices; the mysteries of medical handwriting would be replaced by clear, definite printed information.

As we all now know, it didn’t quite work out that way. Patients complain that their doctors are looking at the screen instead of at them, doctors complain that life has become an endless series of boxes to click, and medical error hardly seems to have disappeared. There are still some bugs in the system—or, in the case of Hollywood Presbyterian Medical Center, one really big, particularly virulent bug: a ransomware program that shut down the entire hospital’s computer systems for more than a week until the hospital finally agreed to pay its attackers 40 bitcoins (currently worth about $17,000) this week.

Advertisement

Ransomware is malware that encrypts the data stored on infected machines and then demands that the users of those machines submit untraceable, online payments as ransom (typically through bitcoin transactions) before the attackers will unencrypt the data. There have been a rash of embarrassing cases in the past few years as ransomware has grown in popularity as a mode of attack: There was the police department in Massachusetts that had to pay $500 to regain access to one of its servers in 2015, and the sheriff’s office in Tennessee that paid $572 in 2014. So Hollywood Presbyterian is hardly the first institution to be targeted or to decide that the best course of action was to give in to the attackers’ demands. (In fact, last year, Joseph Bonavolonta of the FBI essentially encouraged people to pay these ransoms at the 2015 Cyber Security Summit, telling audience members “the ransomware is that good” that otherwise you’re unlikely to get your data back.)

What’s striking about the case of Hollywood Presbyterian is not that it was infected, or even that it ultimately paid a ransom, but rather what the hospital did before it paid: It stopped using the computer system. The staff went back to paper registration forms and medical records; they communicated via fax (apparently the fax lines were pretty jammed) and diverted some emergency patients to other hospitals. No doubt the incident stoked doctors’ frustrations with electronic medical record systems and the overstated promises of paperless hospitals and digital patient charts. And it’s an incident that reminds the rest of us nondoctors that, at least sometimes, it is unfair to dismiss these frustrations as misplaced nostalgia or prickly resistance to change. Paper charts might be messy, might be hard to read, might get lost in the basement for years—but at least paper charts couldn’t put a gun to your head.

For all the fuss we routinely make about how wholly, inextricably dependent we are on computer systems and how vulnerable this dependence makes us, it’s incredible that an organization as complex—and essential—as a hospital was able to take a cyberattack even partly in stride, rewind the clock 30 years, and continue treating patients. It’s a kind of resilience that most of us take for granted we no longer have when it comes to computer viruses—the ability to say, what most needs to be done, we can do without computers if we absolutely have to.

It’s not a permanent solution, of course—that’s why Hollywood Presbyterian ended up paying thousands of dollars to regain control of their computer systems—but being able to keep things up and running, and buy some time to negotiate the ransom down—from the initially reported $3.7 million (9,000 bitcoin) to the $17,000 that the hospital actually paid—is a significant achievement. That doesn’t mean we’re likely to see a lot more of this kind of low-tech reversion in response to ransomware incidents. The decision to postpone paying and revert to paper records was probably made in large part because of the astronomical initial ransom sum—and now that the attackers have figured out what they can and can’t get out of a hospital, they’re unlikely to make the same mistake next time. After all, the ransomers aren’t interested in demanding more money than you can pay: They’re interested in demanding exactly as much money as you can and will pay.

Advertisement

The going rate for a local law enforcement station seems to be about $500, judging by past cases. The next hospital that’s targeted will probably see ransoms in the range of tens of thousands, based on the Hollywood Presbyterian price. Of course, that’s assuming that the ransomers bother to distinguish between their targets—some of the most common ransomware programs spread indiscriminately and may make no distinction between an individual person’s hard drive and a rich company’s. In other words, the police stations that pay $500 for access to a server may simply be facing the same price that the attackers assume any infected individual would be able to pay.

In other words, this is a market where attackers are still figuring out the best ways to make money. It has a lot to recommend it (if you’re a profit-minded criminal) over the more traditional model of stealing data and selling it on the black market because it opens up the opportunity to profit off large swaths of data that would otherwise be worthless. The contents of my laptop hard drive, for instance, would presumably not be able to sell for so much as a penny on the black market—but I would happily (well, not happily, but willingly) fork over hundreds of dollars to retrieve them, if I didn’t have another copy. (Of course, I have many other copies of the things I care about—and by the way, so should you—for lots of reasons, but among them the fact that it makes it much harder for someone to effectively extort you using ransomware.)

So the ransomware model opens the door for lots of new customers and lots of new potentially “valuable” troves of data for criminals to target—and that only works if you charge prices that people will actually be able to pay. But if you’re charging everyone the same price to ransom their data, well, then you haven’t learned the vital lessons of the airline industry. Ransom requests like the 9,000 bitcoins initially demanded of Hollywood Presbyterian suggest that attackers are working on tailoring their prices a little more to their targets—and are perhaps still a little uncertain where those price points lie.

That’s not great news for any of us, but it is a reason to go make lots of backup copies of your data—and perhaps to hold onto a few fax machines and the stacks of paper records in the basement. Nothing strengthens your bargaining position with the people holding your computer systems hostage like the notion that you may not really need those systems to function. If it turns out you don’t desperately need that data back, then the ransomers are left sitting on a trove of worthless bits.

This article is part of Future Tense, a collaboration among Arizona State University, New America, and Slate. Future Tense explores the ways emerging technologies affect society, policy, and culture. To read more, follow us on Twitter and sign up for our weekly newsletter.

Josephine Wolff is an assistant professor of public policy and computing security at Rochester Institute of Technology and a faculty associate at the Harvard Berkman Center for Internet and Society. Follow her on Twitter.