Hospital Cyber Attacks and Crypto Currency: Part XI

EDITOR’S NOTE: Edward Roche, in association with RACmonitor, is writing a series of articles on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the eleventh installment in the series.

Virtually all major healthcare organizations in the United States have reported at least one cyberattack. 

Erie County Medical Center is a 550-bed facility located in upstate New York, in the City of Buffalo. A few weeks ago, all of the screens of the computer terminals connected to this Level I trauma center went black. Nothing could be turned back on. It was impossible to access any data.

The hospital received a message.

“What happened to your files? All your files (are) encrypted with RSA-2048 encryption. For more information, search in Google ‘RSA Encryption.’ How to recover files? RSA is a asymmetric cryptographic algorithm. You need one key for encryption and one key for decryption. So you need private key to recover your files. It’s not possible to recover your files without private key. How to get private key? You can get your private key in three easy steps: Step 1: You must send us 1.1 BitCoin for each affected record. 24 Bitcoins for receive all private keys for all affected records. Step 2: After you send us …”

The English has numerous syntax errors and grammatical mistakes.

In short order, the hospital received a demand for payment of 24 Bitcoin, the equivalent $44,000. For criminals, the use of crypto-currency is favored because the flow of funds going directly from the payer to the payee moves in a highly encrypted form, and without any central bank, repository, or intermediary. It can be used anywhere, in any country, and through any information system connected to the Internet.

It is a very private way of sending and receiving payments, because without any intermediary, there is no place that law enforcement or tax authorities or anyone else can look to see a recording of the transaction. In the United States, your banking transactions are considered to be records easily obtainable by law enforcement, as are your telephone records under the pen-trap statutes. But with no records, there is nothing for law enforcement to obtain.

Crypto-currency does have a distributed ledger, whereby all transactions are recorded. This is called the “blockchain.” This public ledger is not maintained in a single place, but instead is passed around by a network of communicating nodes that run the bitcoin software. It is heavily encrypted.

Crypto-currency uses not a centralized database, but instead a distributed database. Every network node keeps a copy of the database. Everything is updated every 10 minutes. When a hospital sends $44,000 in Bitcoin to criminal “X,” this transaction is broadcast to the network of ledgers. The network nodes verify the transaction, then update all other nodes.

Crypto-currency transactions were being processed at the rate of 5,000 per month in 2009, but by 2011 the rate was around 60,000 per month. In 2013, the rate was 1,000,000 per month; and currently, the rate is approximately 10,000,000 per month. If the current growth rate continues, by 2020 the rate should be approximately 100,000,000 transactions per month.

Good luck finding the incriminating transaction in that fog – even if you could read it, which you can’t.

Erie’s Response to Cyber Extortion

Getting back to Erie County Medical Center – it was impossible for the trauma center to cease operation; patients kept coming in. Erie reverted to manual procedures. That is, everything was done with paper and pen. Has anyone run out to a store and tried to purchase carbon paper lately?

Then came time for the decision: “to pay or not to pay?”

The hospital hung tough. Its management decided not to pay.

What was the result? The hospital was forced to hire an ICT consulting firm to come in and completely rebuild its information system. Was it quick? No. It took six full weeks to get everything running again. Actually, it took six full weeks to build and install a completely new information system for the trauma unit.

The Calculus of Cyber Extortion and Ransomware

There is a calculus to cyber extortion. We might even say there is a “sweet spot” in the market. The extortion demand should be large enough to be significant and profitable for the extortionist, but low enough so that the victimized hospital can easily come to the conclusion that it would be cheaper to pay than to go through what it would require to rebuild its information system. As long as the extortion amount is lower than the rebuild cost, it is logical for the hospital to pay up. Actually, if the hospital purposefully chooses the most expensive alternative, it would be violating its fiduciary responsibility. As long as the extorters stay in this “sweet spot,” they can continue to milk the cow without killing it.

Extortion, after all, is a classical criminal activity. For a hospital, the objective is to avoid actual harm to itself or its patients, apart from extortion of money. After all, if cyber extortion took place, and payments were made but data not recovered, then future cyber extortionists would have no credibility. So successful cyber extortion depends on the reputation of the extortionist for doing what they say they will. That is, after the money is received, then the data really can be unlocked.

Other Forms of Cyber Terrorism

There could be a darker side to this. Experts worry that cyber criminals eventually may do more than simply extort money. What would be the likely pattern if the cybercriminal was a terrorist instead of an extortionist? Then, the objectives will have completely changed. There is no need to extort money; instead, the objective is to do as much harm as possible, or even murder as many as possible. In addition to the taking innocent life, an additional objective of terrorism is to make society feel helpless, and even partially at fault itself.

Suppose, for example, that the electronic medical records of patients were hacked. With the correct application of numerous algorithms, it would be possible to change the amounts of prescriptions to either insufficient levels or to excessive levels; either could be fatal. Or surgery on the right side could become surgery on the left. Or tumors could be found where there are none, or hidden when they are metastasizing and deadly. Patients with high fever could be made to look normal. People with insufficient oxygen could be made to look flush.

Lab reports could be changed. Certain infections could be mischaracterized so that the wrong antibiotics are used. The list goes on and on. It is up to the imagination how much damage could be done.

The disheartening aspect of this is that this type of terrorism would have no need to become immediately visible. Like the “sweet spot” in the extortion market, the number of illegal acts could be kept high enough to be effective, but low enough not to be detected immediately. Hundreds of patients might be affected before someone realizes there are problems.

Taking Effective Cyber Security Measures

All across the United States, hospitals and other healthcare providers are in the midst of reassessing their cyber-security, but there is no easy answer, and no single methodology or technology that will address all of the inherent risks.

To a significant extent, all providers are different, and consequently, they all have different information systems. The result is that no one set of cyber security practices will fit every provider.

So the question becomes this: If there is no single cyber security methodology available that is universal enough to work for all providers, how can the auditing standards of the U.S. government be so uniform?

A deeper question is this: how can providers solve their cyber security issues using what in reality is at least a partially customized solution for each provider?

As highlighted in previous editions of this series, preparing for a cyber audit involves taking tangible steps to improve the security of your information system. But being secure is not adequate for the purposes of an audit.

Instead, it is necessary to be able to show documentation of everything you have done. In future issues of this series, we will go into greater detail about cyber audits and address the issue of how audits can be comprehensive enough to cover the vast range of healthcare providers, but at the same time flexible enough to accommodate the inherent differences between them. 

Print Friendly, PDF & Email

Edward M. Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

The Inpatient Admission Order: Master the Who, When, and How

The Inpatient Admission Order: Master the Who, When, and How

During this webcast Dr. Ronald Hirsch delves into the inpatient admission order process including when to get it, when it becomes effective, its impact on billing and payment, who can write it, how to cancel it, the effects on the beneficiary, and more. You’ll leave with a clear understanding of inpatient orders and guidelines for handling improper orders that you can implement immediately.

June 20, 2024
Navigating AI in Healthcare Revenue Cycle: Maximizing Efficiency, Minimizing Risks

Navigating AI in Healthcare Revenue Cycle: Maximizing Efficiency, Minimizing Risks

Michelle Wieczorek explores challenges, strategies, and best practices to AI implementation and ongoing monitoring in the middle revenue cycle through real-world use cases. She addresses critical issues such as the validation of AI algorithms, the importance of human validation in machine learning, and the delineation of responsibilities between buyers and vendors.

May 21, 2024
Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Frank Cohen shows you how to leverage the Comprehensive Error Rate Testing Program (CERT) to create your own internal coding and billing risk assessment plan, including granular identification of risk areas and prioritizing audit tasks and functions resulting in decreased claim submission errors, reduced risk of audit-related damages, and a smoother, more efficient reimbursement process from Medicare.

April 9, 2024
2024 Observation Services Billing: How to Get It Right

2024 Observation Services Billing: How to Get It Right

Dr. Ronald Hirsch presents an essential “A to Z” review of Observation, including proper use for Medicare, Medicare Advantage, and commercial payers. He addresses the correct use of Observation in medical patients and surgical patients, and how to deal with the billing of unnecessary Observation services, professional fee billing, and more.

March 21, 2024
Comprehensive Inpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Comprehensive Inpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Optimize your inpatient clinical documentation and gain comprehensive knowledge from foundational practices to advanced technologies, ensuring improved patient care and organizational and financial success. This webcast bundle provides a holistic approach to CDI, empowering you to implement best practices from the ground up and leverage advanced strategies for superior results. Participants will gain actionable insights to improve documentation quality, patient care, compliance, and financial outcomes.

June 26, 2024
Advanced Inpatient Clinical Documentation Integrity: Harnessing Technology, Analytics, and Compliance

Advanced Inpatient Clinical Documentation Integrity: Harnessing Technology, Analytics, and Compliance

Join expert Angela Comfort, MBA, RHIA, CDIP, CCS, CCS-P., as she helps you navigate advanced inpatient CDI technologies, regulatory changes, and system interoperability. Angela will provide actionable strategies for integrating AI and predictive analytics into CDI practices, ensuring seamless system interoperability, and maintaining compliance with evolving regulations. Attendees will learn to select and implement advanced EHR systems and CDI software, leverage data analytics to enhance documentation accuracy, and stay audit-ready with the latest compliance updates. Real-world case studies and practical tools will empower you to drive continuous improvement in CDI, improve patient outcomes, and enhance organizational efficiency. Don’t miss this opportunity to advance your CDI practices and stay ahead in this dynamic field.

July 11, 2024
Foundations of Inpatient Clinical Documentation Integrity: Enhancing Accuracy and Compliance

Foundations of Inpatient Clinical Documentation Integrity: Enhancing Accuracy and Compliance

Join expert Angela Comfort, MBA, RHIA, CDIP, CCS, CCS-P, for an insightful webcast on improving inpatient clinical documentation integrity (CDI). Inaccurate documentation can lead to misdiagnosis, improper treatment, and compromised patient safety. High workloads, lack of standardized practices, and outdated EHR systems contribute to these issues, affecting care quality and financial outcomes. Angela will offer practical strategies and tools to enhance accuracy, consistency, and timeliness in documentation. Attendees will learn to use standardized templates, checklists, and advanced EHR systems, while staying compliant with regulations. Improve patient care, ensure accurate billing, and reduce audit risks with actionable insights from this essential webcast.

June 26, 2024
Mastering E/M Coding: Navigating the Evolving Landscape

Mastering E/M Coding: Navigating the Evolving Landscape

Join industry expert, Kathy Pride, RHIT, CPC, CPMA, CCS-P, for an in-depth exploration of Evaluation and Management (E/M) coding, tailored for healthcare professionals navigating recent guideline changes. Dive into advanced topics beyond mere code selection, including shared visits, criteria for selecting E/M levels, and documentation best practices. Gain clarity on complex guideline terminology and ensure compliance with regulatory standards. This comprehensive session is essential for coders, auditors, educators, and practitioners seeking to enhance their proficiency in E/M coding and maximize revenue capture.

June 19, 2024

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

Honor Memorial Day with Savings! Get 20% off all items using code MEMORIAL24 at checkout. Shop today and save! Offer valid until May 31. Exclusions apply.

Happy World Health Day! Our exclusive webcast, ‘2024 SDoH Update: Navigating Coding and Screening Assessment,’  is just $99 for a limited time! Use code WorldHealth24 at checkout.