Hackers targeting hospitals are after money, not information

Local expert explains "ransomware" and how companies can avoid it

SAN ANTONIO – In the last two years, 90 percent of U.S. hospitals fell victim to some type of cyber attack. It's clear hospitals are a hot new target. Even more important to hackers than your information? Money.

When hackers zeroed in on Hollywood Presbyterian Medical Center earlier this year, they made it clear to the hospital: Pay them or they'd keep the information they stole.

The hospital paid $17,000.  The cyber-hostage move is called "ransomware."

"One of the main entrances into our organizations is through phishing emails. So somebody clicks on it, it downloads onto their system," said Natalie Sjelin, associate director of UTSA's Center for Infrastructure Assurance and Security.

Sjelin explains once that malware is in the system, the hackers take over. 

"Then what happens is this wonderful little message pops up and it says, 'Oh by the way your files have been deleted and we've encrypted a copy of it and you can get that back when you pay us whatever the ransom is,'" Sjelin said.

Ransomware is becoming a popular method. The worst part is, there's no guarantee for companies that pay the ransom, that they'll actually get their files back. It's a huge risk. 

The main things that can prevent businesses from having to pay that ransom if they're hacked, are backups.

"Have a good working copy of your files and have it stored not as part of that system. Have it stored somewhere else," Sjelin said. "So you're going to identify the infected systems, take them off the network, and you're going to recover those good copied files." 

Another crucial preventative measure is better employee training, teaching more specific ways to identify dangerous emails or links.

Sjelin said hospitals are targeted oftentimes because many have outdated equipment. Plus, they have huge technological systems. 

"We know there are vulnerabilities, we know we have to patch our systems, but especially with systems you might find in a hospital, or some sort of specialty organization, they have customized systems so updating their systems may be a little more intricate to update," she said.

She also said keeping things up to date can be very tedious, it can be very expensive, it can be very time intensive, for places like hospitals.

Still, even with outdated technology, Sjelin said companies have to start protecting their networks with complicated systems.

"If you have layer after layer after layer of security measures in place it's going to make it more and more difficult," she said.

That could prevent hospitals from coughing up unnecessary money and help them keep precious patient records away from criminals.

KSAT reached out several local hospitals about this issue. They all replied saying while they have security systems in place, they do not want to give out details for safety reasons.

About the Author: