ARI SHAPIRO, HOST:
A Los Angeles hospital says it paid a ransom of 40 bitcoins or about $17,000 to hackers who shut down its computer system for days. Hollywood Presbyterian Medical Center says its servers are back online now, and patients' safety was never compromised. NPR's Kirk Siegler reports cyber security experts aren't so sure.
KIRK SIEGLER, BYLINE: Hollywood Presbyterian and law enforcement still haven't said how the malware infected the hospital's computers, but cyber security experts say it's likely that someone unknowingly clicked on a link or opened an email they shouldn't have. And just like that, the hospital servers were locked by thieves demanding ransom to turn them over.
CLIFFORD NEUMAN: Because our systems are so vulnerable, this is sort of a high payoff way for criminals to monetize their hack.
SIEGLER: Clifford Neuman heads the Center for Computer System Security at USC. He says the hospital did the right thing by shutting everything down and reverting to writing medical records by hand straight away. But the fact is the hackers only needed a few seconds to access all that data in sensitive files.
NEUMAN: They don't necessarily know that it didn't send copies out of their system to somewhere else. So there's always a potential that the privacy of medical records were compromised as well.
SIEGLER: Our medical records contain our Social Security numbers, our medical history that advertisers and marketers are hungry for among other sensitive things. And Neuman says this case shows how hospitals, companies, firms big and small need tougher antivirus software and they need to back up their systems. But they should also rethink whether so many employees need access to huge servers at all times. Elizabeth Lucas, CEO of a hacker education company called Decoded, says there's one thing that can never be fully controlled, us.
ELIZABETH LUCAS: There's nothing that your, you know, IT department can do in terms of preventing, you know, the natural curiosity that we have as human beings to click on something when you get an email
SIEGLER: Lucas says we're surprised and alarmed by the Hollywood Presbyterian case, but this sort of ransomeware attack is actually becoming more and more common. She says most firms pay the ransom quickly and quietly because they don't want their reputations tarnished. Kirk Siegler, NPR News, Culver City, Calif. Transcript provided by NPR, Copyright NPR.