EDITOR’S NOTE: Edward Roche, in association with RACmonitor, is writing a series of articles on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the eleventh installment in the series.
Virtually all major healthcare organizations in the United States have reported at least one cyberattack.
Erie County Medical Center is a 550-bed facility located in upstate New York, in the City of Buffalo. A few weeks ago, all of the screens of the computer terminals connected to this Level I trauma center went black. Nothing could be turned back on. It was impossible to access any data.
The hospital received a message.
“What happened to your files? All your files (are) encrypted with RSA-2048 encryption. For more information, search in Google ‘RSA Encryption.’ How to recover files? RSA is a asymmetric cryptographic algorithm. You need one key for encryption and one key for decryption. So you need private key to recover your files. It’s not possible to recover your files without private key. How to get private key? You can get your private key in three easy steps: Step 1: You must send us 1.1 BitCoin for each affected record. 24 Bitcoins for receive all private keys for all affected records. Step 2: After you send us …”
The English has numerous syntax errors and grammatical mistakes.
In short order, the hospital received a demand for payment of 24 Bitcoin, the equivalent $44,000. For criminals, the use of crypto-currency is favored because the flow of funds going directly from the payer to the payee moves in a highly encrypted form, and without any central bank, repository, or intermediary. It can be used anywhere, in any country, and through any information system connected to the Internet.
It is a very private way of sending and receiving payments, because without any intermediary, there is no place that law enforcement or tax authorities or anyone else can look to see a recording of the transaction. In the United States, your banking transactions are considered to be records easily obtainable by law enforcement, as are your telephone records under the pen-trap statutes. But with no records, there is nothing for law enforcement to obtain.
Crypto-currency does have a distributed ledger, whereby all transactions are recorded. This is called the “blockchain.” This public ledger is not maintained in a single place, but instead is passed around by a network of communicating nodes that run the bitcoin software. It is heavily encrypted.
Crypto-currency uses not a centralized database, but instead a distributed database. Every network node keeps a copy of the database. Everything is updated every 10 minutes. When a hospital sends $44,000 in Bitcoin to criminal “X,” this transaction is broadcast to the network of ledgers. The network nodes verify the transaction, then update all other nodes.
Crypto-currency transactions were being processed at the rate of 5,000 per month in 2009, but by 2011 the rate was around 60,000 per month. In 2013, the rate was 1,000,000 per month; and currently, the rate is approximately 10,000,000 per month. If the current growth rate continues, by 2020 the rate should be approximately 100,000,000 transactions per month.
Good luck finding the incriminating transaction in that fog – even if you could read it, which you can’t.
Erie’s Response to Cyber Extortion
Getting back to Erie County Medical Center – it was impossible for the trauma center to cease operation; patients kept coming in. Erie reverted to manual procedures. That is, everything was done with paper and pen. Has anyone run out to a store and tried to purchase carbon paper lately?
Then came time for the decision: “to pay or not to pay?”
The hospital hung tough. Its management decided not to pay.
What was the result? The hospital was forced to hire an ICT consulting firm to come in and completely rebuild its information system. Was it quick? No. It took six full weeks to get everything running again. Actually, it took six full weeks to build and install a completely new information system for the trauma unit.
The Calculus of Cyber Extortion and Ransomware
There is a calculus to cyber extortion. We might even say there is a “sweet spot” in the market. The extortion demand should be large enough to be significant and profitable for the extortionist, but low enough so that the victimized hospital can easily come to the conclusion that it would be cheaper to pay than to go through what it would require to rebuild its information system. As long as the extortion amount is lower than the rebuild cost, it is logical for the hospital to pay up. Actually, if the hospital purposefully chooses the most expensive alternative, it would be violating its fiduciary responsibility. As long as the extorters stay in this “sweet spot,” they can continue to milk the cow without killing it.
Extortion, after all, is a classical criminal activity. For a hospital, the objective is to avoid actual harm to itself or its patients, apart from extortion of money. After all, if cyber extortion took place, and payments were made but data not recovered, then future cyber extortionists would have no credibility. So successful cyber extortion depends on the reputation of the extortionist for doing what they say they will. That is, after the money is received, then the data really can be unlocked.
Other Forms of Cyber Terrorism
There could be a darker side to this. Experts worry that cyber criminals eventually may do more than simply extort money. What would be the likely pattern if the cybercriminal was a terrorist instead of an extortionist? Then, the objectives will have completely changed. There is no need to extort money; instead, the objective is to do as much harm as possible, or even murder as many as possible. In addition to the taking innocent life, an additional objective of terrorism is to make society feel helpless, and even partially at fault itself.
Suppose, for example, that the electronic medical records of patients were hacked. With the correct application of numerous algorithms, it would be possible to change the amounts of prescriptions to either insufficient levels or to excessive levels; either could be fatal. Or surgery on the right side could become surgery on the left. Or tumors could be found where there are none, or hidden when they are metastasizing and deadly. Patients with high fever could be made to look normal. People with insufficient oxygen could be made to look flush.
Lab reports could be changed. Certain infections could be mischaracterized so that the wrong antibiotics are used. The list goes on and on. It is up to the imagination how much damage could be done.
The disheartening aspect of this is that this type of terrorism would have no need to become immediately visible. Like the “sweet spot” in the extortion market, the number of illegal acts could be kept high enough to be effective, but low enough not to be detected immediately. Hundreds of patients might be affected before someone realizes there are problems.
Taking Effective Cyber Security Measures
All across the United States, hospitals and other healthcare providers are in the midst of reassessing their cyber-security, but there is no easy answer, and no single methodology or technology that will address all of the inherent risks.
To a significant extent, all providers are different, and consequently, they all have different information systems. The result is that no one set of cyber security practices will fit every provider.
So the question becomes this: If there is no single cyber security methodology available that is universal enough to work for all providers, how can the auditing standards of the U.S. government be so uniform?
A deeper question is this: how can providers solve their cyber security issues using what in reality is at least a partially customized solution for each provider?
As highlighted in previous editions of this series, preparing for a cyber audit involves taking tangible steps to improve the security of your information system. But being secure is not adequate for the purposes of an audit.
Instead, it is necessary to be able to show documentation of everything you have done. In future issues of this series, we will go into greater detail about cyber audits and address the issue of how audits can be comprehensive enough to cover the vast range of healthcare providers, but at the same time flexible enough to accommodate the inherent differences between them.
As a provider, a question worth asking yourself these days is this: what degree of risk is there that you might have something on your
What is a “smart” hospital, and what states have the most of them? Furthermore, what makes them smart? Well, it is difficult to define exactly
Please log in to your account to comment on this article.
Accurately determining the principal diagnosis is critical for compliant billing, appropriate reimbursement, and valid quality reporting — yet it remains one of the most subjective and error-prone areas in inpatient coding. In this expert-led session, Cheryl Ericson, RN, MS, CCDS, CDIP, demystifies the complexities of principal diagnosis assignment, bridging the gap between coding rules and clinical reality. Learn how to strengthen your organization’s coding accuracy, reduce denials, and ensure your documentation supports true medical necessity.
Denials continue to delay reimbursement, increase administrative burden, and threaten financial stability across healthcare organizations. This essential webcast tackles the root causes—rising payer scrutiny, fragmented workflows, inconsistent documentation, and underused analytics—and offers proven, data-driven strategies to prevent and overturn denials. Attendees will gain practical tools to strengthen documentation and coding accuracy, engage clinicians effectively, and leverage predictive analytics and AI to identify risks before they impact revenue. Through real-world case examples and actionable guidance, this session empowers coding, CDI, and revenue cycle professionals to shift from reactive appeals to proactive denial prevention and revenue protection.
Sepsis remains one of the most frequently denied and contested diagnoses, creating costly revenue loss and compliance risks. In this webcast, Angela Comfort, DBA, MBA, RHIA, CDIP, CCS, CCS-P, provides practical, real-world strategies to align documentation with coding guidelines, reconcile Sepsis-2 and Sepsis-3 definitions, and apply compliant queries. You’ll learn how to identify and address documentation gaps, strengthen provider engagement, and defend diagnoses against payer scrutiny—equipping you to protect reimbursement, improve SOI/ROM capture, and reduce audit vulnerability in this high-risk area.
Only ICD10monitor delivers what you need: updates on must-know changes associated with the FY26 IPPS, including new ICD-10-CM/PCS codes, CCs/MCCs, and MS-DRGs, plus insights, analysis and answers to your questions from two of the country’s most respected subject matter experts.
Get clear, practical answers to Medicare’s most confusing regulations. Join Dr. Ronald Hirsch as he breaks down real-world compliance challenges and shares guidance your team can apply right away.
Federal auditors are zeroing in on Inpatient Rehabilitation Facility (IRF) and hospital rehab unit services, with OIG and CERT audits leading to millions in penalties—often due to documentation and administrative errors, not quality of care. Join compliance expert Michael Calahan, PA, MBA, to learn the five clinical “pillars” of IRF-PPS admissions, key documentation requirements, and real-life case lessons to help protect your revenue.
During this essential RACmonitor webcast Michael Calahan, PA, MBA Certified Compliance Officer, will clarify the rules, dispel common misconceptions, and equip you with practical strategies to code, document, and bill high-risk split/shared, incident-to & critical care E/M services with confidence. Don’t let audit risks or revenue losses catch your organization off guard — learn exactly what federal auditors are looking for and how to ensure your documentation and reporting stand up to scrutiny.
Learn how to navigate the proposed elimination of the Inpatient-Only list. Gain strategies to assess admission status, avoid denials, protect compliance, and address impacts across Medicare and non-Medicare payors. Essential insights for hospitals.
Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 1 with code CYBER25
CYBER WEEK IS HERE! Don’t miss your chance to get 20% off now until Dec. 2 with code CYBER24
