https://www.baltimoresun.com/health/bs-md-medstar-healthcare-hack-20160402-story.html
Spurred on by the federal government, hospitals in Maryland have moved quickly in recent years to roll out electronic medical records.
The benefits are many. Electronic medical records can help patients avoid unnecessary tests. They help doctors tailor treatment even for patients they are meeting for the first time. With more information on hand, everyone can make better decisions.
But as the attack last week on computer networks at MedStar Health hospitals in Maryland and the District of Columbia demonstrated, the new systems can leave hospitals vulnerable.
After unidentified hackers encrypted hospital data, staff members, patients and family members reported delays in service and confusion in treatment. Some cancer patients were unable to get radiation treatment for several days.
For all the enthusiasm about adopting electronic medical records, security remains a concern. The primary worry has been that hackers could steal patients’ information to enable identity theft. But recent attacks have demonstrated the threat of ransomware, in which hackers deny access to data rather than stealing it.
In the MedStar attack, as has been the case with other health care providers, the hackers demanded payment in the difficult-to-trace digital currency bitcoin in exchange for the digital keys to unlock the encrypted data, according to copies of the ransom note obtained by The Baltimore Sun.
MedStar declined to make anyone available for an interview about the attack or its response, but issued a page-long statement in response to detailed questions faxed by The Sun.
“With only a few exceptions, handled on a case-by-case basis, care continued throughout this situation and has been provided to thousands of patients during the past five days,” the nonprofit health care system said.
“MedStar’s priority throughout this attack remains focused on providing high quality, safe care for patients and continuing to meet the care needs of the community.”
Hospitals in California and Kentucky also have fallen prey to recent ransomware attacks.
Despite widespread media coverage of those incidents, analyst Ted Harrington said, many health care organizations still have only a vague understanding of the range of threats they face.
Harrington’s Baltimore-based Independent Security Evaluators recently completed a two-year study of the digital threats to hospitals.
“Most health care organizations have not up to this point been adequately considering denial of service,” he said, using the phrase for attacks that focus on shutting down a target’s systems.
It is also not clear that the laws that require businesses to notify their customers and the public when hackers steal data apply when files are locked up but not stolen. Federal and Maryland laws describe a breach as when information is taken out of a computer system.
Jeffrey L. Karberg, who handles identity theft at the Office of the Maryland Attorney General, said the question revolves around the use of the word “acquire” in the laws.
“If I’ve just taken your house key and am willing to sell it back, have I acquired your house?” he asked.
The attack on MedStar, which operates 10 hospitals in the region, including Union Memorial, Harbor, Franklin Square and Good Samaritan, brought the computer systems of one of the region’s largest health care providers to a halt at the beginning of the workweek.
MedStar opened command centers to deal with the crisis, it said in its statement. Information technology teams worked to identify the malware and moved to block it. The health system said it would not discuss the malware details, the attack or the attackers, but did say it had not paid any ransom.
“Additional media coverage featuring criminal acts — offenses against the public that are punishable — perpetuates the infamy of malicious attacks for airtime and publicity,” MedStar said.
By Friday, MedStar said, 90 percent of its systems were back up and running. It said a close-to-normal number of patients had passed through the doors of its facilities during the outages.
Health care executives and regulators say their increasing reliance on computer networks and electronic patient data have brought new challenges.
Sharon Boston, a spokeswoman for LifeBridge Health, said the corporation takes information security seriously and works to adapt to new threats as they arise. LifeBridge operates Sinai, Northwest and Carroll hospitals in the Baltimore region.
“The use of the electronic medical record across the health care industry is broader and deeper than it has ever been, and will continue to grow,” Boston said. “With the evolving nature of these electronic threats, LifeBridge Health continually monitors the safety and potential vulnerability of our information systems and takes appropriate action.”
Ben Steffen, executive director of the Maryland Health Care Commission, said electronic medical records are still new and have vulnerabilities, but they benefit patient care.
“Certainly, we are still in the midst of introducing and spreading electronic medical records,” Steffen said. “We’re still at version one in this cycle, and making the systems more secure is one of the more important challenges moving ahead.”
Nationally, about 80 percent of doctors now report using electronic records, up from less than 20 percent in 2001. While those figures do not tell the whole story — many practices mix paper and electronic records, and some electronic records are merely scans of papers — they are now considered mainstream.
Hospitals use a variety of measures to prevent hacks and keep patient information safe, said David Sharp, the director of the state’s Center for Health Information Technology and Innovative Care Delivery, part of the Maryland Health Care Commission.
Hospitals conduct manual cybersecurity tests, Sharp said, and scan continuously for new viruses.
Chief information officers meet regularly with state officials. After the MedStar hack, Sharp said, the commission plans to hold those meetings more often.
“Hospitals are doing what they should do,” he said. “It is unfortunate cyberattacks occur, but no industry is immune.”
That’s true — every industry faces computer security challenges, and businesses in almost every sector have been targeted by hackers — but analysts say health care organizations face particular difficulties.
Tenable Network Security, which conducted a survey of several industries last year, ranked health care companies’ computer security as below average.
“Health care in general has not had a very good track record with information security overall,” said Cris Thomas, a strategist at the Columbia-based firm.
Many medical devices are now connected to the Internet, creating another vulnerability in hospital networks. In some cases, security fixes to the devices can be applied only by their vendors’ technicians.
There are signs that MedStar could have done more to withstand or even ward off an attack, some analysts say.
Many forms of ransomware require tricking a user into opening a file to begin an infection. The best defense is training employees — but even then, there is no guarantee that a craftily worded email from a hacker won’t con a staff member.
The tool used to attack MedStar, according to details of the ransom note and a website to which the hackers directed MedStar, was Samsam, a different kind that preys on weaknesses in a particular piece of software.
It is dangerous because it can be slipped into a network at any time of day or night and spreads quickly. But the defense against it is easier: Install updates that fix the weaknesses.
“From a resolution standpoint, this is a really easy-to-solve problem,” said Craig Williams, an analyst at Cisco’s Talos who has been tracking the use of Samsam.
The tool is new — it first appeared in December — but private security companies and the FBI have been warning about it, and the weaknesses it exploits are widely known.
By Monday morning, when MedStar discovered what it called a virus in its systems, it was too late to take those steps. Instead, the company’s response was to pull everything offline.
MedStar called the decision “courageous and mission-critical.” The health system said law enforcement and cybersecurity experts praised the move as “a critical component in the resulting recovery time.”
But security analysts who spoke to The Sun have questioned the move, which they called an extreme measure that harked back to the responses of the 1990s.
“It sounds to me sort of like a panic mode,” Thomas said. “Disconnecting and unplugging sort of works, but it’s not a viable solution these days.”