On the 28th of March, 2016, a group of workers in MedStar Health (MedStar), a nonprofit healthcare system, which includes ten hospitals in Washington DC and Maryland, received a pop-up message that read “You just have 10 days to send us the bitcoin. After the 10 days, we will remove your private key and it’s impossible to recover your files”. The hackers demanded 45 bitcoins, which was worth $19,000 back then. If the hospital’s officials would have paid the ransom, the hackers claimed they would provide them with the necessary tools to decrypt data and enable MedStar to regain access to its databases.
Complying with the federal officials’ recommendations, MedStar’s workers did not pay the bitcoin ransom. After losing access to its electronic health records (EHR), MedStar had to shut down its computers and email for all of the system’s ten hospitals and over 250 outpatient centers. However, the ramifications extended way beyond simply shutting down computers and emails. Even though MedStar’s emergency department in Washington DC stayed open throughout the outage, the challenges associating treating patients, who suffered from life threatening conditions back then, had no choice but to head to other hospitals in the vicinity. Furthermore, a considerable proportion of MedStar’s outpatient clinics had to cancel patients’ appointments entirely, as they were not capable of providing treatment or other forms of routine management functions including check-in, billing and collection, without having a functioning computer system.
Apart from the inconveniences of considerably slow response time and rescheduling of some outpatient appointments, inability to access the EHR system led to patients’ concerns and possible safety risks. For instance, a nurse stated in an interview for “The Washington Post” that due to delay in lab results, she continued on giving certain medication, that had some potentially hazardous side effects, to a patient for whom the medication should have been stopped eight hours earlier. Even though MedStar’s officials remained positive to the public, the stories narrated by providers, patients and staff about the challenges created by such attack revealed a different kind of story.
Despite the fact that such malware attack may be merely a form of inconvenience or annoyance for some businesses, the challenges facing healthcare providers in such forms of attacks can be disastrous. Unluckily, incidents like that of MedStar are rather numerous. A few weeks following the MedStar incident, attacks were reported on a hospital in Kentucky, another in Kansas, two hospitals in California and another one in Ottawa, Canada.
In part 2 of this series, we will look into other malware attacks on US hospitals including hospitals that really paid the bitcoin ransom to the hackers.