Response to ransomware costs hospital $10 million

BUFFALO, N.Y. – Hackers demanded $30,000 from the Erie County Medical Center during a massive cyber-attack in April, when ransomware shut down the hospital’s computers. The medical centre didn’t pay the fee, but it did spend $5 million on new hardware, software and services to recover its data and protect itself from future intrusions.

Another $5 million in costs stemmed from a combination of increased expenses, such as for staff overtime pay, and lower revenues from the loss of business during the system down time, the Buffalo News reported.

That’s just the costs related to the incident. Going forward, medical center officials also anticipate an ongoing additional expense of $250,000 to $400,000 a month for investments in upgraded technology and employee education to harden its computer system defenses to reduce the risk and impact of future attacks.

“What happened to us was a wake-up call for the entire community,” said Thomas Quatroche Jr., the medical center’s chief executive officer. “Any major institution that wants to improve cybersecurity will have to make investments just like this.”

The attack took down more than 6,000 computers and forced the medical center back to the days of paper charts and face-to-face messaging. A ransom demand appeared on hospital computer screens that sought 24 bitcoins, a digital currency that was valued at about $1,215 per bitcoin at that time, totaling nearly $30,000 to unlock the medical center’s system.

ECMC didn’t pay the ransom, a decision recommended by security experts and law enforcement authorities. Among the reasons: Even if the attackers provided a key to unlock the computers, there was no guarantee it would work and no guarantee the computer systems would truly be wiped clean of malicious software. It also didn’t seem like the right thing to do, officials said at the time.

Fortunately – and unlike many big urban public hospitals – ECMC finds itself in a reasonably good position to handle the problem.

Perhaps most importantly, the medical center increased its insurance coverage against such events last November from $2 million to $10 million, Quatroche said. He said he is confident the hospital can recover the ransomware-related costs in its insurance claim, and publicly thanked ECMC’s general counsel, internal auditors and insurance broker for recommending the increased coverage.

ECMC, which includes a 602-bed hospital and 390-bed nursing home, is also doing well from a business standpoint. It closed 2016, the busiest year in the hospital’s history, with a $2.1 million operating surplus on $593 million in operating revenues.

Officials believe a hacker or hackers used an automatic program that anti-virus software could not recognize to exploit a hospital web server accessible remotely that should have been configured differently to prevent an incursion.

The hackers then applied “brute force” computing – trying millions of character combinations to identify a relatively easy default password to gain entrance into the hospital’s system. Once they had breached the perimeter, it’s believed the intruders then logged in and encrypted files in a way that made it more difficult to recover data.

What happened at ECMC reflects a global crisis, with thousands of attacks – large and small – now occurring each year at many businesses, organizations and government agencies.

Healthcare is one of the most frequently targeted industries by cybercriminals, and that’s partly a result of its many interconnected computer systems, patient records and medical devices.

A report by the Health Care Industry Cybersecurity Taskforce released in June found that healthcare lags behind other industries in cybersecurity because of inadequate in-house expertise, poorly secured or outdated systems, and a lack of awareness of the seriousness and complexity of the threat, especially to patient privacy and safety.

“Healthcare cybersecurity is a key public health concern that needs immediate and aggressive attention,” according to the task force, which was created by the US Congress.

Among its many recommendations: define and streamline leadership, governance and expectations for healthcare industry cybersecurity; increase the security and resilience of medical devices and health information technology; develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities; and improve information sharing of industry threats, risks, and mitigations.

A big piece of the challenge is educating people not to be tricked by fraudulent email and and reacting quickly if a cyberattack breaks through computer defenses.

But one key lesson learned that Quatroche is sharing with other healthcare officials is a recommendation to train employees in regular exercises as close to real life, worst-case scenarios as possible. “Hospitals should really be drilling with everything down,” he said.