By Kim Smiley
In February 2016, Hollywood Presbyterian Medical Center’s computer network was hit with a cyberattack. The hackers took over the computer system, blocking access to medical records and email, and demanded ransom in return for restoring the system. After days without access to their computer system, the hospital paid the hackers 40 bitcoins, worth about $17,000, in ransom and regained control of the network.
A Cause Map, an intuitive visual format for performing a root cause analysis, can be built to analyze this incident. Not all of the information from the investigation has been released to the public, but an initial Cause Map can be created to capture what is now known. As more information is available, the Cause Map can easily be expanded to incorporate it.
The first step in the Cause Mapping process is to fill in an Outline with the basic background information. The bottom portion of the Outline has a place to list the impacts to the goals. In this incident, as with most, more than one goal was impacted. The patient safety goal was impacted because patient care was potentially disrupted because the hospital was unable to access medical records. The economic goal was also impacted because the hospital paid about $17,000 to the hackers. The fact that the hackers got away with the crime could be considered an impact to the compliance goal. To view a filled-in Outline as well as a high level Cause Map, click on “Download PDF” above.
Once the Outline is completed, defining the problem, the next step is to build the Cause Map to analyze the issue. The Cause Map is built by asking “why” questions and laying out the answers to show all the cause-and-effect relationships that contributed to an issue. In this example, the hospital paid ransom to hackers because they were unable to access their medical records. This occurred because the hospital used electronic medical records, hackers blocked access to them and there was no back-up of the information. (When more than one cause contributed to an effect, the causes are listed vertically on the Cause Map and separated with an “and”.)
How the hackers were able to gain access to the network hasn’t been released, but generally these types of ransomware attacks start by the hacker sending what seems to be routine email with an attached file such as a Word document. If somebody enables content on the attachment, the virus can access the system. Once the system is infected, the data on it is encrypted and the user is told that they need to pay the hackers to gain access to the encryption key that will unlock the system. Once the system has been locked up by ransomware, it can be very difficult to gain access of the data again unless the ransom is paid. Unless a system is designed with robust back-ups, the only choices are likely to be to pay the ransom or lose the data.
The best way to deal with these types of attacks is to prevent them. Do not click on unknown links or attachments. Good firewalls and anti-virus software may help if a person does click on something suspicious, but it can’t always prevent infection. Many experts are concerned about the precedent set by businesses choosing to pay the ransom and fear these attacks may become increasingly common as they prove effective.