So far, Charleston hospitals have been spared a major cyber attack, but two recent security breaches at hospitals in Washington and Hollywood, Calif., have called into question how vulnerable other medical centers might be.
“MUSC is vulnerable to those kinds of attacks, but to be fair, every other hospital in America is vulnerable to these kind of attacks, as well,” said John Rasmussen, chief information security officer at the Medical University of South Carolina. “We prepare all the time for incidents like this.”
The hacking at MedStar Georgetown University Hospital in Washington last week forced hospital personnel to use paper medical records after the facility was crippled by a virus that shuttered its computers for patients and staff.
Earlier this year, Hollywood Presbyterian Medical Center paid specialists $17,000 to regain control of its computer system, which hackers had seized with ransomware using an infected email attachment.
The hospital paid 40 bitcoins — or about $420 per coin of the digital currency — to restore normal operations and disclosed the attack publicly. That hack was first noticed Feb. 5, and operations didn’t fully recover until 10 days later.
Unless patient data is affected, the federal government doesn’t require hospitals to disclose such hackings, even if operations are disrupted.
Rasmussen said MUSC employees have been targeted with ransomware before, but the damage has been limited to single computers.
“For us, when we find one of these, we re-image the workstation and get rid of the malware,” he said. “We don’t pay (the ransom). Typically, it’s not good to pay the person who is holding you hostage. We don’t negotiate with terrorists.”
Approximately 7,000 MUSC patients were impacted by a 2013 data breach. In that case, hackers targeted a third-party credit card processing vendor.
Keith Neuman, vice president and chief information officer for Roper St. Francis, said hospitals may learn from cyber attacks at other facilities.
“What happened at MedStar has now allowed everybody to look at this and say let’s get this (security) patch in,” Neuman said. “MedStar doesn’t have the advantage of learning from this because they were hit with it.”
Hospitals are considered prime targets for hackers because patients often disclose sensitive, personal information, such as Social Security and credit card numbers, when they receive treatment. Even though the threat is well known, The Associated Press reports that the hospital industry’s computer security systems are “generally regarded as poor.”
Rasmussen said he doesn’t consider that statement completely fair.
“Overall, I think IT security across the nation is probably at a low level of maturity,” he said. “In health care, there’s been a lot work done over the past several years to improve security.”
The Associated Press contributed to this report. Reach Lauren Sausser at 843-937-5598.