Ransomware Attacks On Hospitals Are Our New Normal—And A Sign Of Progress

Healthcare, long the fax machine’s great patron, is finally going digital

Screenshot of TheDarkOverlord’s ransom request via

Over on the dark net, a hacker named TheDarkOverlord is in for a big payday. This week, the hacker announced that he’d breached at least four healthcare databases in a reputation-making move, and he’s putting the stolen data up for sale: Roughly 10 million patient records, many with social security, phone, insurance, and credit card numbers in addition to full medical histories. The asking price adds up to over a million dollars for exclusive rights to the files from all four datasets, and there isn’t even a question of if TheDarkOverload will get paid. It’s how fast.

Nearly 100 million health records were stolen in 2015, and yours may have already been hijacked. According to a survey by KPMG, an astonishing 80 percent of executives at healthcare providers and payers admitted their information had been compromised, and they’re shelling out around $6 billion annually in ransom pay to get their systems and data back. They need those records to return to work and would rather pay up than have their databases frozen or erased––not to mention their patients’ information sold on black markets. (Yes, there’s more than one.)

[quote position="right" is_quote="true"]Healthcare, long the fax machine industry’s great patron, is still adapting to digital systems—and security breaches are its version of growing pains.[/quote]

When it comes to medical records, identity theft and hospital ransoms are byproducts of progress. Healthcare, long the fax machine industry’s great patron, is still adapting to digital systems—and security breaches are its version of growing pains. John D. Halamka, chief information officer and dean for technology at Harvard Medical School, told me we’re still in the “biplane” era of online records. “The jet engine hasn’t been invented yet,” he said. “But a paper record can only be read by one person at a time in a single location. Digital records can be shared, secured, audited, easily read, and viewed anywhere by those with a need to know.”

Simply put: medical information is worth more than financial data like credit card numbers, which have a finite lifespan and are so plentiful on black markets they often sell for close to nothing. But a single updated medical record often goes for $10 a pop. Criminals use stolen information to obtain prescriptions, make insurance claims, or—in extreme cases—enroll for new coverage with no intention of paying the resulting bills.

Victims of medical fraud are usually in for a prolonged headache. If someone uses your identity to get treatment, who pays the bill? For one man in Colorado, a fraudulent surgery ended with a $44,000 hit. If someone maxes out a prescription you need, it can take months to clear your record. And a false diagnosis to get controlled substances could surface in a job interview. In a 2015 study by the Poneman Institute, 65 percent of the medical fraud victims they interviewed had to pay to resolve fraud cases or settle outstanding bills. The average amount? $13,500.

[quote position="left" is_quote="true"]The security of our personal data, as well as the accessibility of health records, is routinely compromised because employees click the wrong links.[/quote]

The overwhelming majority of healthcare breaches come from ransomware, a malicious software that blocks access to a computer system until a bounty is paid, usually in Bitcoin (because these attacks are all anonymous and heavily encrypted, the payment will always be in crypto-currency). I asked Engin Kirda, a professor at the College of Computer and Information Science at Northeastern University, how these attacks take place. “If there is a vulnerability on the system, malware may exploit it and install itself,” he told me. “In a lot of the cases, though, there is a social engineering aspect to the attack. The victim is tricked to click on a link that she shouldn't click on or download something she shouldn't download.”

So the security of our personal data, as well as the accessibility of health records, is routinely compromised because employees click the wrong links. The bright side for patients is that hospitals and doctors value their information even more than a random buyer on the dark web. “Data, personal information, passwords to accounts, these are assets of value,” said Lee Tien, senior staff attorney and Adams Chair of Internet Rights at the Electronic Frontier Foundation. “In the exfiltration context, you might just sell them, but in the ransomware context, you extract value from someone who values them a lot more than a buyer on the black market. A hospital might not be able to treat its patients or operate at all without access to its systems.”

If a malware attack doesn’t result in a total organizational shutdown, it often means taking systems offline and temporarily moving back to paper records. That’s what happened at Hollywood Presbyterian Hospital this past February when, for ten days, it mulled over whether to pay hackers their demand of 40 bitcoin, equivalent to roughly $17,000. They eventually ponied up, and the widely-reported figure has served as an inspiration to online criminals. The FBI, while warning organizations about the rise in ransomware attacks, doesn’t recommend paying off hackers. But most organizations are left with no choice.

Rob Bathurst, managing director for healthcare and embedded systems at the leading cybersecurity firm Cylance, told me the only way to stop ransomware attacks is to be proactive about security rather than reacting to a crisis. ”If you don’t have the technology to prevent these types of occurrences, the only recourse in most cases is to pay,” he said. “In the vast majority of cases, what we see is the institution pays the ransom and then tries to address the problem of preventing it from occurring again in the future.”

[quote position="right" is_quote="true"]If an attack doesn’t result in a total organizational shutdown, it often means taking systems offline and temporarily moving back to paper records.[/quote]

Prevention, though, is largely out of the patient’s hands. Make a doctor’s appointment or visit a hospital, and you have to provide data. You have no control over who exactly has access to your record or what happens if it gets held hostage. The medical field has lagged behind finance and government (two industries with their fair share of security breaches) when it comes to adopting online networks and providing the proper security to protect them. According to a recent survey by HIMSS Analytics and Symantec, more than 80 percent of healthcare organizations spend less than 6 percent of their IT budgets on security.

“What we have here is a classic example of an industry sector that is trying to modernize and use IT effectively, but is not paying enough attention to the problems of data security,” Tien told me. “A big part of why is that security is hard and often gets in the way of making the data available to those you want to share it with. People have been talking about electronic health records for years, but EFF and Patient Privacy Rights and other groups have been saying ‘slow down’ and make sure crypto [technology] is being used. If you build a nice house with lots of valuable stuff in it, but don’t have locks on the doors, you’re asking for trouble.”

The good news? There’s plenty of room to catch up—though things will likely get worse before they get better. Experts like Bathurst recommend a three-pronged approach: Investing more in technologies to prevent ransomware from happening in the first place, improving worker awareness so there’s an easy path to notify IT people of security concerns, and, finally, training these employees to get better at spotting malicious emails. As a patient, the best move you can make is to be proactive about tracking fraud on your financial and other accounts, along with paying attention if your pharmacist says you’re maxed out on your prescription when you know you aren’t.

via Thomas Ledia / Wikimedia Commons

On April 20, 1889 at the Braunau am Inn, in Upper Austria Salzburger located at Vorstadt 15, Alois and Klara Hitler brought a son into the world. They named him Adolph.

Little did they know he would grow up to be one of the greatest forces of evil the world has ever known.

The Hitlers moved out of the Braunau am Inn when Adolph was three, but the three-story butter-colored building still stands. It has been the subject of controversy for seven decades.

via Thomas Ledia / Wikimedia Commons

The building was a meeting place for Nazi loyalists in the 1930s and '40s. After World War II, the building has become an informal pilgrimage site for neo-Nazis and veterans to glorify the murderous dictator.

The building was a thorn in the side to local government and residents to say the least.

RELATED: He photographed Nazi atrocities and buried the negatives. The unearthed images are unforgettable.

For years it was owned by Gerlinde Pommer, a descendant of the original owners. The Austrian government made numerous attempts to purchase it from her, but to no avail. The building has served many purposes, a school, a library, and a makeshift museum.

In 1989, a stone from the building was inscribed with:

"For Peace, Freedom

and Democracy.

Never Again Fascism.

Millions of Dead Remind [us]."

via Jo Oh / Wikimedia Commons

For three decades it was home to an organization that offered support and integration assistance for disabled people. But in 2011, the organization vacated the property because Pommer refused to bring it up to code.

RELATED: 'High Castle' producers destroyed every swastika used on the show and the video is oh-so satisfying

In 2017, the fight between the government and Pommer ended with it seizing the property. Authorities said it would get a "thorough architectural remodeling is necessary to permanently prevent the recognition and the symbolism of the building."

Now, the government intends to turn it into a police station which will surely deter any neo-Nazis from hanging around the building.

Austria has strict anti-Nazi laws that aim to prohibit any potential Nazi revival. The laws state that anyone who denies, belittles, condones or tries to justify the Nazi genocide or other Nazi crimes against humanity shall be punished with imprisonment for one year up to ten years.

In Austria the anti-Nazi laws are so strict one can go to prison for making the Nazi hand salute or saying "Heil Hitler."

"The future use of the house by the police should send an unmistakable signal that the role of this building as a memorial to the Nazis has been permanently revoked," Austria's IInterior Minister, Wolfgang Peschorn said in a statement.

The house is set to be redesigned following an international architectural competition.

Center for American Progress Action Fund

Tonight's Democratic debate is a must-watch for followers of the 2020 election. And it's a nice distraction from the impeachment inquiry currently enveloping all of the political oxygen in America right now.

For most people, the main draw will be newly anointed frontrunner Pete Buttigieg, who has surprisingly surged to first place in Iowa and suddenly competing in New Hampshire. Will the other Democrats attack him? How will Elizabeth Warren react now that she's no longer sitting alone atop the primary field? After all, part of Buttigieg's rise has been his criticisms of Warren and her refusal to get into budgetary specifics over how she'd pay for her healthcare plan.

The good news is that Joe Biden apparently counts time travel amongst his other resume-building experience.

Keep Reading Show less
via Mike Mozart / Flickr

Chick-fil-A is the third-largest fast food chain in America, behind McDonald's and Starbucks, raking in over $10 billion a year.

But for years, the company has faced boycotts for supporting anti-LGBT charities, including the Salvation Army, the Fellowship of Christian Athletes, and the Paul Anderson Youth Home.

The Salvation Army faced criticism after a leader in the organization implied that gay people "deserve to die" and the company also came under fire after refusing to offer same-sex couples health insurance. But the organization swears it's evolving on such issues.

via Thomas Hawk / Flickr

The Fellowship of Christian Athletes explicitly announced it was anti gay marriage in a recent "Statement of Faith."

God instituted marriage between one man and one woman as the foundation of the family and the basic structure of human society. For this reason, we believe that marriage is exclusively the union of one man and one woman.

The Paul Anderson Youth Home teaches boys that homosexuality is wrong and that same-sex marriage is "rage against Jesus Christ and His values."

RELATED: The 1975's singer bravely kissed a man at a Dubai concert to protest anti-LGBT oppression

In 2012, Chick-fil-A's CEO, Dan Cathy, made anti same-sex marriage comments on a radio broadcast:

I think we are inviting God's judgment on our nation when we shake our fist at Him and say, "We know better than you as to what constitutes a marriage". I pray God's mercy on our generation that has such a prideful, arrogant attitude to think that we have the audacity to define what marriage is about.

But the chicken giant has now decided to change it's says its charitable donation strategy because it's bad for business...Not because being homophobic is wrong.

The company recently lost several bids to provide concessions in U.S. airports. A pop-up shop in England was told it would not be renewed after eight days following LGBTQ protests.

Chick-fil-A also has plans to expand to Boston, Massachusetts where its mayor, Thomas Menino, pledged to ban the restaurant from the city.

via Wikimedia Commons

"There's no question we know that, as we go into new markets, we need to be clear about who we are," Chick-fil-A President and Chief Operating Officer Tim Tassopoulos told Bisnow. "There are lots of articles and newscasts about Chick-fil-A, and we thought we needed to be clear about our message."

RELATED: Alan Turing will appear on the 50-pound note nearly 70 years after being persecuted for his sexuality

Instead, the Chick-fil-A Foundation plans to give $9 million to organizations that support education and fight homelessness. Which is commendable regardless of the company's troubled past.

"If Chick-Fil-A is serious about their pledge to stop holding hands with divisive anti-LGBTQ activists, then further transparency is needed regarding their deep ties to organizations like Focus on the Family, which exist purely to harm LGBTQ people and families," Drew Anderson, GLAAD's director of campaigns and rapid response, said in a statement.

Chick-fil-A's decision to back down from contributing to anti-LGBT charities shows the power that people have to fight back against companies by hitting them where it really hurts — the pocket book.

The question remains: If you previously avoided Chick-fil-A because it supported anti-LGBT organizations, is it now OK to eat there? Especially when Popeye's chicken sandwich is so good people will kill for it?

via Gage Skidmore / Flickr and nrkbeta / flickr

The Southern Poverty Law Center (SPLC) dropped a bombshell on Tuesday, announcing it had over 900 emails that White House aide Stephen Miller sent to former Breitbart writer and editor Katie McHugh.

According to the SPLC, in the emails, Miller aggressively "promoted white nationalist literature, pushed racist immigration stories and obsessed over the loss of Confederate symbols after Dylann Roof's murderous rampage."

Keep Reading Show less