Update: MedStar Health turns away patients one day after cyberattack on its computers.
The FBI is investigating the breach, which comes just weeks after similar cyberattacks on at least three other medical institutions in California and Kentucky. Still, MedStar officials said they had found “no evidence that information has been stolen.”
“MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization,” spokeswoman Ann Nickels said in a statement. “We are working with our IT and cyber-security partners to fully assess and address the situation. Currently, all of our clinical facilities remain open and functioning.”
But the infection could have a considerable impact on the $5 billion health-care provider, which operates 10 hospitals and more than 250 outpatient facilities in the Washington region. It serves hundreds of thousands of patients and employs more than 30,000 people.
Without access to sophisticated online systems, hospital staff have had to revert to seldom-used paper charts and records.
“Everything will be slowed down tremendously,” said Stephen Frum, a labor representative for National Nurses United who has worked closely with MedStar for 15 years. “It’s huge.”
Appointments and surgeries will be delayed, he said, explaining that it will take longer for lab results to come back, for patients to receive tests and for medications to be ordered.
Neither MedStar nor the FBI has said how long it expects the systems to remain offline.
“Even the lowest-level staff can’t communicate with anyone. You can’t schedule patients, you can’t access records, you can’t do anything,” said one employee who asked that her name not be used because she was not authorized to speak about the incident.
The woman said she spoke to two other employees who saw a pop-up on their computer screens stating that they had been infected by a virus and asking for ransom in “some kind of Internet currency.” She had not seen the pop-up herself.
Though the nature of the MedStar infection remains unclear, Nickels said Monday she had “not been told that it’s a ransom situation.”
"Ransomware" — a virus that holds systems hostage until victims pay for a key to regain access — has been deployed at least three times against hospitals this year.
In one case last month, a hospital in Los Angeles paid hackers $17,000 in bitcoins, an Internet currency, to free its system. Forbes identified that strain of ransomware as "Locky" — a reference to the virtual lock the virus places on data.
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” the hospital’s president, Allen Stefanek, said in a Feb. 17 statement. “In the best interest of restoring normal operations, we did this.”
Two weeks ago, a Kentucky facility announced it was in an "internal state of emergency" after a similar hack, according to the site Krebs on Security, which reported that the hackers in that case asked for about $1,600 in bitcoins.
Medical facilities are vulnerable to these attacks in part because they don’t properly train their employees on how to avoid being hacked, according to Sinan Eren, who has worked in cybersecurity for government and health-care organizations for two decades.
“It’s not like the financial-services industry, where they train employees how to spot suspicious emails,” said Eren, general manager at Avast Mobile Enterprise.
Also, many hospital computer systems are outdated, bulky and in dire need of upgrades or newer software, he said. But such institutions often don’t have — or don’t want to spend — the money to make sweeping changes.
“There’s a lack of budget, a lack of talent to handle these issues,” Eren said. “Sometimes the human capital might not be there. All these things are an incremental cost to their systems. Therefore, they kind of push the can down the road to deal with technical updates later.”
Special Agent Chris Stangl, a section chief at the FBI’s cyber division, said in a recent interview that ransomware attacks are becoming increasingly prevalent as more and more victims pay up. In a nine-month period in 2014, the FBI investigated 1,838 complaints of such attacks, which cost those targeted more than $23.7 million. In 2015, agents investigated 2,453 complaints, costing targets $24.1 million.
Stangl said the hackers, most of them from Eastern Europe, have increasingly targeted businesses, which are often able to pay more than individuals to unlock data. The hackers “scan the Internet for companies that post their contact information,” then send them email phishing attacks. Unsuspecting employees, Stangl said, are asked to click on what seem to be innocuous links or attachments — perhaps something as simple as a .PDF purporting to be a customer complaint — and before they know it, their computers are infected.
“In the beginning days of ransomware, the target was primarily individuals, and it was unsophisticated, just very small amounts that people would pay,” Stangl said. “It’s kind of moved, as the actors have become more sophisticated, to small- to medium-sized businesses.”
Stangl said the crime is financially motivated, and the hackers make demands that put their victims in a difficult spot. They target critical data — such as patient records — then ask for a ransom low enough that a business or individual will consider paying it.
matt zapotosky@washpost.com
