The Hollywood Presbyterian Medical Center was the victim of a ransomware attack last week when its patient files were locked by hackers in exchange for a ransom.
One of the patients, Melissa Garza, said, “I wasn’t feeling very well, went in for a check-up and they said their computers were down. I asked, what’s going on here and they said we were hacked.”
Ransom of 3.6 million US Dollars
Computer forensics expert Eric Robi said that the hackers demanded in the region of 9,000 bitcoins, which would bring the amount to over USD$3.6 million (£2.52 million) in exchange for unlocking the records. In most cases, Robi says, it’s cheaper to pay the ransom than to try to fix the problem.
The Hospital is sadly just another unfortunate victim of cyber crime. Investigators confirm there is no apparent motive for attacking the hospital – but if you’re informed about cyber security you will know that hackers target the weakest link: those that are simply not secure enough.
While the hospital has declared they are in the midst of an “internal emergency”, Kaspersky explains that there is absolutely no guarantee that the attackers will adhere to their part of the ‘deal’ if the hospital chooses to the pay the ransom – these are criminals, after all.
What is a company to do?
“Cyber crime is a sophisticated and developed threat; the fastest way to develop a response to cyber crime is to collaborate with and learn from others,” says Alan Calder, CEO of IT Governance. “ISO 27001 and its supporting body of good practice is specifically focused on helping organisations tackle and contain cyber risk.
“ISO 27001 is globally recognised as the cornerstone of effective cyber resilience, which is why so many organisations and government bodies rely on ISO 27001 certifications as evidence that their suppliers are responsibly managing information security.”
ISO 27001 sets out the specification for a best-practice information security management system (ISMS). By implementing an ISMS, the company should be able to improve its own security with controls that have been selected on the basis of the organisation’s specific risk environment and risk appetite.
Why cyber security measures aren’t enough
Most companies already have a number of cyber security measures in place, such as policies, practices, procedures, work instructions and technologies. What companies without an effective, ISO 27001-supported ISMS often lack is a process for identifying whether or not those measures are adequate for their particular risk environment.
ISO 27001 helps you to identify and manage those risks: by implementing ISO 27001, your company will be in a position to keep up with all of the major cyber threats and not miss any potential risk. This is because ISO 27001 involves a comprehensive risk assessment, requires leadership commitment, company-wide involvement and ongoing improvement.
Find out about how to get started with ISO 27001 today with an overview of your people, processes and technology, with expert support, whatever your budget and needs.
Update: The hospital reportedly finally paid US$17,000 (£11,900) to the attackers. The hospital CEO, Allen Stefanek said on Wednesday that paying the ransom was “the quickest and most efficient way to restore our systems and administrative functions.” All systems have now been restored. The Register reports that “the infection has been described as ‘random’ rather than targeted, suggesting a staffer opened a dodgy email or visited a malicious website that caused the network to be laid low.”