The hospital held hostage by hackers

Hackers hold LA hospital hostage
Hackers hold LA hospital hostage   

Los Angeles medical workers are dealing with an internal emergency straight out of science fiction, one that cybersecurity experts say is increasingly common.

For more than a week, hackers have shut down the internal computer system at a Hollywood-area hospital for a ransom of 9,000 bitcoin, or almost $3.7 million, according to NBC 4 Los Angeles. The hospital says patient care has not been compromised, though the cyberattack has forced the facility, Hollywood Presbyterian Medical Center, to revert to paper registrations and medical records and send 911 patients to other area hospitals, NBC 4 reports.

Hollywood Presbyterian did not immediately respond to CNBC's request to comment, but an unnamed doctor told NBC 4 that emergency rooms have been affected and fax lines at the hospital are jammed from lack of access to email.

Virtual kidnapping and ransomware
Virtual kidnapping and ransomware   

It's all due to a type of malicious software called ransomware that encrypts sensitive data until it can only be unlocked with a keycode, said Tim Erlin, director of IT security and risk strategy at enterprise cybersecurity firm Tripwire.

"It's a good reminder that you don't have to attack the medical device to attack its ability to deliver care," Erlin told CNBC. "The IT infected was things like email, but the inability to access those systems degrades the ability to deliver care."

Ransomware, like other malware, exploits weak spots to infect a company's system, according to Erlin. A company is more likely to be compromised when it has either software vulnerabilities, misconfigured software or when people in the organization are used as a vector for malicious links or emails.

In addition to being wary of email attachments, outside software should have the latest updates and in-house software needs to be screened for loopholes that could be accessed by hackers, said Erlin. Plus, companies should avoid circumventing passwords or setting shared or default profiles that work around security measures.

At the very least, businesses should back up their data so hard drives can be wiped and restored to their previous states, Erlin said.

It's likely that the hospital was simply caught in a web of larger attacks, Erlin said. The most significant ransomware scheme last year, called CryptoWall, cost victims $18 million associated with network mitigation, network countermeasures, loss of productivity, legal fees, IT services and the purchase of credit monitoring services for employees or customers, according to the FBI's Internet Crime Complaint Center.

The source of the cyberattack at Hollywood Presbyterian is the subject of an ongoing FBI investigation, though a spokeswoman for the FBI's Los Angeles Division declined to comment to CNBC.

Since it first appeared in 2013, 56 types of cryptoransomware have appeared, which means one of as many as 50 gangs could be behind the scheme affecting the hospital, Kevin Haley, director of Security Response at Symantec. He said that the most popular hiding places for the malware include Wordpress blogs and advertisements.

Though ransomware attacks are preventable and addressable, it's hard to know whether a business you frequent is up to date when it comes to cybersecurity, Haley said. The Hollywood attack comes just months after research firm Forrester singled out the health-care industry as a target for ransomware in 2016.

"When you go into a restaurant, you get a health rating, at least in California, from the health inspector," Haley said. "That can be a guide. We don't have anything like that in terms of security. Maybe that's something that we need. It would certainly cause companies to start doing the right thing."

For more on the hospital attack, see the full article at NBC's Los Angeles affiliate.