Erie County Medical Center didn't pay a nearly $30,000 ransom demand to the perpetrators of a massive cyberattack in April, but the intrusion that brought down the hospital's computer systems will exact a very big cost.
ECMC officials estimate expenses tied to the incident were nearly $10 million.
About half of that amount is for computer hardware, software and assistance needed in the response. The other half represents a combination of increased expenses, such as for staff overtime pay, and lower revenues from the loss of business during the system down time.
That's just the costs related to the incident. Going forward, medical center officials also anticipate an ongoing additional expense of $250,000 to $400,000 a month for investments in upgraded technology and employee education to harden its computer system defenses to reduce the risk and impact of future attacks.
"What happened to us was a wake-up call for the entire community," said Thomas Quatroche Jr., the medical center's chief executive officer. "Any major institution that wants to improve cybersecurity will have to make investments just like this."
The attack took down more than 6,000 computers and forced the medical center back to the days of paper charts and face-to-face messaging. A ransom demand appeared on hospital computer screens that sought 24 bitcoins, a digital currency that was valued at about $1,215 per bitcoin at that time, totaling nearly $30,000 to unlock the medical center's system.
ECMC didn't pay the ransom, a decision recommended by security experts and law enforcement authorities. Among the reasons: Even if the attackers provided a key to unlock the computers, there was no guarantee it would work and no guarantee the computer systems would truly be wiped clean of malicious software. It also didn't seem like the right thing to do, officials said at the time.
Hospital finances healthy
Fortunately — and unlike many big urban public hospitals — ECMC finds itself in a reasonably good position to handle the problem.
Perhaps most importantly, the Grider Street medical center increased its insurance coverage against such events last November from $2 million to $10 million, Quatroche said. He said he is confident the hospital can recover the ransomware-related costs in its insurance claim, and publicly thanked ECMC's general counsel, internal auditors and insurance broker for recommending the increased coverage.
ECMC, which includes a 602-bed hospital and 390-bed nursing home, is also doing well from a business standpoint. It closed 2016, the busiest year in the hospital's history, with a $2.1 million operating surplus on $593 million in operating revenues.
Quatroche said so far in 2017 the medical center is $1.6 million ahead through June, and that's after a downturn in patient volumes in the spring as the hospital spent weeks rebuilding its information systems following the April 9 ransomware demand and discovery of the attack. He expressed confidence that ECMC would end 2017 with a surplus of $1 million to $2 million.
"We will have increased expenses around IT," said Quatroche. "Those costs will be a trade-off as we look at other equipment at the hospital. We feel we can we find savings in non-patient areas."
A global problem
Officials believe a hacker or hackers used an automatic program that anti-virus software could not recognize to exploit a hospital web server accessible remotely that should have been configured differently to prevent an incursion. The hackers then applied "brute force" computing — trying millions of character combinations to identify a relatively easy default password to gain entrance into the hospital's system. Once they had breached the perimeter, it's believed the intruders then logged in and encrypted files in a way that made it more difficult to recover data.
What happened at ECMC reflects a global crisis, with thousands of attacks — large and small — now occurring each year at many businesses, organizations and government agencies.
Kaleida Health, for instance, recently experienced a phishing incident that led it to notify 2,800 patients about an attempt to gain personal information. Phishing is the use of a fraudulent email purporting to be from a reputable company or organization that tries to get people to reveal private data.
The Kaleida hospital system reported that it learned on May 24 that an unauthorized party potentially accessed an employee’s email account and, as a result, may have gained access to other Kaleida Health email accounts that may have included patients’ names, medical record numbers, dates of birth, diagnoses, treatment information, or other clinical information. Social Security numbers and financial information were not contained in the email accounts, said spokesman Michael Hughes.
He said it's impossible to tell if the perpetrator did view any emails with patient information, but the hospital system is taking the precaution of notifying patients. Under federal law, hospitals are required to report potential medical data breaches involving more than 500 people.
Task force recommendations
The extent of cybercrime is huge, global and growing, although difficult to pin down with certainty. In the U.S., financial losses from incidents in 2016 exceeded $1.3 billion in 2016, according to a Federal Bureau of Investigation's Internet Crime Report released in June. The FBI's Internet Complaint Center received 298,728 complaints last year, but the agency estimated that only 15 percent of the nation's internet fraud victims report crimes to law enforcement.
In the case of ransomware, that may mean many victims are paying the ransoms. An internet security threat report released in April by Symantec, the giant cybersecurity company, found that 64 percent of American ransomware victims are willing to pay a ransom, compared to 34 percent internationally. Willingness to pay ransoms is likely a major reason for a dramatic increase from 2015 to 2016 in ransom demands, even though paying the ransom doesn't guarantee decryption of files, according to Symantec.
The company report cited a finding by Norton Cyber Security that only 47 percent of victims who paid a ransom reported getting their files back.
Symantec also reported that the use of email as an infection point has become a weapon of choice for cybercriminals. Its review found that 1 in 131 emails contained a malicious link or attachment – the highest rate in five years. The review noted that business email phishing scams — in which criminals impersonate a company official in an attempt to get an employee, customer or vendor to transfer funds or sensitive information to the phisher — scammed more than $3 billion from businesses over the last three years.
Health care is one of the most frequently targeted industries by cybercriminals, and that's partly a result of its many interconnected computer systems, patient records and medical devices.
A report by the Health Care Industry Cybersecurity Taskforce released in June found that health care lags behind other industries in cybersecurity because of inadequate in-house expertise, poorly secured or outdated systems, and a lack of awareness of the seriousness and complexity of the threat, especially to patient privacy and safety.
"Health care cybersecurity is a key public health concern that needs immediate and aggressive attention," according to the task force, which was created by Congress.
Among its many recommendations: define and streamline leadership, governance and expectations for health care industry cybersecurity; increase the security and resilience of medical devices and health information technology; develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities; and improve information sharing of industry threats, risks, and mitigations.
Education is part of the solution
A big piece of the challenge is educating people not to be tricked by fraudulent email and and reacting quickly if a cyberattack breaks through computer defenses.
Quatroche again praised the resourcefulness of the medical center staff in its response to the attack.
"In our case, everyone — the ER, the labs, radiology — did what they were supposed to do," he said.
But one key lesson learned that Quatroche is sharing with other health care officials is a recommendation to train employees in regular exercises as close to real life, worst-case scenarios as possible.
"Hospitals should really be drilling with everything down," he said.