Skip to main content


Ransomware Threat Levels: Elevated. Executives, are You Listening?

   April 12, 2016

Have executives run out of excuses to postpone increasing security awareness, employee training, and overall IT security budgets? Based on events of the past two months, one could make a pretty compelling case.

I saw a CNBC news story on April Fool's Day that I had to read three times to make sure it wasn't a hoax.

A survey of 1,530 nonexecutive directors and C-level executives in the US, UK, Germany, Japan, and Nordic countries, conducted by Nasdaq and Tanium, found that 40% of executives said they do not feel responsible for the repercussions of criminal hackings.

"I think the most shocking statistic was really the fact that the individuals at the top of an organization, executives like CEOs and CIOs, and even board members, didn't feel personally responsible for cybersecurity or protecting the customer data," said Dave Damato, chief security officer at Tanium, speaking on CNBC's Squawk Box that same day.

Have executives run out of excuses to postpone increasing security awareness, employee training, and overall IT security budgets? Based on events of the past two months, in the healthcare industry anyway, I could make a pretty good case:

  • At the end of March, MedStar Health, which operates 10 regional hospitals in the Baltimore/Washington region, was forced to resort to paper medical records and transactions. MedStar executives initially denied it was another ransomware attack, although media accounts quoted employees who had seen ransomware demands pop up on their computer screens. MedStar paid no ransom and brought all systems back online last week. Executives also disputed an Associated Press story quoting unnamed employees who said the organization ignored information systems security warnings dating as far back as 2007.
  • In mid-March, another ransomware attack hit Methodist Hospital in Henderson, KY. The attackers copied records and deleted the originals. In this case, the hospital was able to activate a backup system and continue to run its systems smoothly, albeit with temporary limited Web access to some services. Methodist paid no ransom.
  • Shortly thereafter, hacker criminals demanded ransom from two more Southern California hospitals run by Prime Healthcare Services – Chino Valley Medical Center in Chino and Desert Valley Hospital in Victorville. As of this writing, there is no evidence that Prime paid any ransom.
  • In mid-February, Hollywood Presbyterian Medical Center paid a $17,000 ransom in bitcoin to hackers who had infiltrated its network and encrypted medical records and demanded a $3.4 million ransom be paid. The hospital CEO said paying the $17,000 ransom to unlock its own data, after three weeks of operating without critical computer programs, was in the organization's best interest.

All of this has activated security vendors and members of the media, such as myself, into a storm of calls to action in the information security realm not seen since the Anthem breach early last year.

Various advances in the kinds of malware that can deliver ransomware to healthcare desktops and laptops, often through spam, phishing attempts, or other credible-looking emails, are blamed for the recent rash of attacks.

The idea of ransomware is not new. Reports dating back to 2005 and before mention it by name. And then consider this: Some cloud-based systems will now lock ordinary users out of their services while they perform security scans and remove files they determine are malware.

This happened to me just last week, when ESET, a security vendor who has worked with Facebook since 2014, locked me out of Facebook (on every device I use to access the service) while it performed an hour-long scan-and-remove operation on one of my PCs.

The files it removed were unfamiliar to me, and probably were just adware, but nothing punctuates the precarious condition we find ourselves in better than the fact that a careful PC user such as myself must now consider such lock-outs a possible everyday occurrence.

Scott Mace is the former senior technology editor for HealthLeaders Media. He is now the senior editor, custom content at H3.Group.

Get the latest on healthcare leadership in your inbox.