Lessons learned from the Hollywood Presbyterian Medical Center Cyber-Ransom attack: Top security experts weigh in

Feb 18, 2016, 11:17 ET from Netswitch

SAN RAFAEL, Calif., Feb. 18, 2016 /PRNewswire/ -- The healthcare industry suffered another blow when the Hollywood Presbyterian Medical Center in Los Angeles was hit by a devastating cyberattack that crippled its operations and put patients' lives at risk in a breach called a "ransomware," because the attackers are demanding $3.6 million to restore its computer systems and networks.

The hospital's CEO, Allen Stefanek, responded by saying that the attack appeared to be random and that no patient or employee information was at risk.

According to one of the country's leading cyberattack experts, Steve King, chief security officer for Netswitch Technology Management, Stefanek's response was inadequate at best and possibly dangerous.

King said there are four things never to do in case of a breach of this magnitude.

1.  Never wait to acknowledge a breach. The longer you delay, the more it looks like you have something to hide and the less your customers will trust you.

2.  Never insult the public's intelligence by saying that "no patient or employee information is at risk" when it is obvious that if the attackers were clever enough to lock down the hospital's systems, they are certainly capable of stealing the medical records as well.

3.  Never suggest that you were attacked "randomly" as if this horrible thing came your way simply out of the blue. The facts are that these hackers targeted the Hollywood Presbyterian Medical Center specifically because they knew their cyber-security defenses were weak or non-existent.

4.  Never pay the ransom. Take the hit. Pay whatever you have to in order to re-create it all and button it up so it won't happen again. Then, walk back everything you have said and come clean.

Mary Siero, an experienced CIO in healthcare, agrees that companies need to be better prepared for ransomware, which is increasing at an alarming rate.

"Organizations should not assume that the breach is minor without an in-depth assessment and should also not assume that sensitive data has not been breached until they have their assessment," says Siero. "Hopefully the organization has considered the seriousness of these and other breaches and developed an Incident Response Plan in advance of breaches."

"If you are in the healthcare space and are fortunate enough to have avoided a breach thus far, take a lesson from this event and start investing in your own cyber-defenses right now," says King. "I am sure you are on someone's list somewhere."



SOURCE Netswitch