Inside the New York hospital hackers took down for 6 weeks

The medical industry is the new No. 1 target for hackers. Almost all U.S. health care organizations have reported at least one cyberattack. The largest American hospital hacked this year was a 550-bed facility in Buffalo.

On average, hackers can sell credit card numbers for 10 to 15 cents each, but a medical record could be worth anywhere between $30 and $500.

For Monday's "CBSN: On Assignment," CBS News correspondent Reena Ninan visits an upstate New York hospital, the Erie County Medical Center. Hackers took down the level one trauma center's computer system for six weeks.

  • Tune in to the full episode of "CBSN: On Assignment" on Mon., Aug. 21 at 10 p.m. ET/PT on CBS and CBSN.

"All the screens were black, all the computer screens were turned off," said Dr. Jennifer Pugh. "Everything we had normally used was essentially unplugged."
 
Pugh runs the medical center's emergency room. She was on duty the morning hackers sent a ransomware message demanding $44,000 in the cyber currency bitcoin to unlock hospital data being held hostage. 

They went back to pen and paper for six weeks until the systems were back online.

"Honestly, I think it's disgusting. They're attacking some of the most vulnerable members of society by coming after a hospital," Pugh said. 

"This is a form of terrorism, these are criminals. In our case, we decided not to pay that ransom but make no mistake about it, this definitely affected our organization and it's going to cost us a lot of money in the long run," said Thomas Quatroche, the hospital's CEO. 

"The U.S. government has a long-standing policy when terrorists kidnap Americans: You don't pay a ransom. Should that be the same case when they steal medical records?" Ninan asked.

"Well, I think in  every hospital has to make their own decision. So, let me tell you why we didn't: It was a matter of integrity for the institution," Quatroche said.
 
Reg Harnish leads the cyber security firm that got the hospital's systems back online. He says attacks like these are just the beginning.
 
"I think it gets a little scarier from here, honestly. Imagine that physicians, clinical staff, nurses came in one day and instead of the data being encrypted or unavailable, it was all wrong: prescriptions, allergies, which leg to amputate -- imagine that all of the data in the EMR [electronic medical records] was actually just wrong and you didn't know which data was wrong," Harnish said.