The Hollywood Presbyterian Medical Center revealed Wednesday that it had decided to pay the ransom to hackers who had infected their computer system with ransomware.

Although initial reports suggested that the ransom demanded was 9000 Bitcoin ($3.6 million), the amount paid by the hospital was only the significantly lower sum of 40 Bitcoin ($17,000).

The attack, which occurred last week, shut down vital systems needed for patient care, including CT scans, documentation, lab work and pharmacy needs, as well as sporadically impacting emergency room systems.

Doctors and medical staff were reported to have resorted to telephone calls, fax machines (apparently they still exist) and keeping paper records, and patients were being told they must travel to pick up medical test results in person rather than receive them electronically.

Fortunately, it is believed no one died due to the attack, but some patients had to be transported to other hospitals for treatment.

“The malware locks systems by encrypting files and demanding ransom to obtain the decryption key. The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key,” Hollywood Presbyterian Medical Center Chief Executive Officer Allen Stefanek told The Los Angeles Times. “In the best interest of restoring normal operations, we did this.”

Bad precedent

You can understand why the hospital agreed to pay up and 40 Bitcoin isn’t a huge amount to pay, but the decision to pay the ransom sets an appallingly bad precedent that will only encourage those running ransomware rings to increase their attacks.

There’s also the chance now, particularly given the widespread media attention this case has obtained, that more hospitals will be attacked as they may be perceived as being soft targets.

Details are not available on the exact form of ransomware used in the attack, and the Federal Bureau of Investigation (FBI) isn’t commenting publicly on the investigation, but we’d still put money on Cryptowall 3.0 or a new variant given the hospital could find no way of retaining control over their systems.

The attack is still being labeled as “random” but as a pure security lesson it’s important to note that the primary attack vector for Cryptowall is through a phishing campaign, which means that someone, somewhere in that hospital received an email and let the ransomware in; ultimately the best security any enterprise can implement is to stop the infection happening to begin with and that’s by beefing up email security and staff training.

If attack is the best form of defense that attack has to be at the gateway while the wolf is still at the door.

Image credit: tambako/Flickr/CC by 2.0