After Malware Attack, Doctor Network Had Widespread OutageElectronic Health Records System Inaccessible
(Update: On Friday, Boston Children's Hospital issued a statement reporting that the electronic medical record system has been restored across all PPOC practices with most functionality available. "We are working diligently on the completion of a full restoration," the statement says.)
Hundreds of pediatric healthcare providers in Massachusetts were still unable to access their electronic health records systems Thursday after a malware attack earlier this week targeted a large physician network affiliated with Boston Children's Hospital.
The system outage affecting Brookline, Mass.-based Pediatric Physicians Organization at Children's started on Tuesday; the malware attack was discovered on Monday afternoon.
As of Thursday, the records system outage continued at the physician network, which includes more than 100 pediatric practices who serve more than 350,000 throughout the state.
The pediatrics organization and its various practices affected by the attack referred all inquiries to Boston Children's Hospital. A hospital spokeswoman tells Information Security Media Group that the malware attack did not involve ransomware and it did not affect the hospital's systems.
"The PPOC is a separate network of more than 500 primary care pediatricians, nurse practitioners and physician assistants across Massachusetts affiliated with Boston Children's," the spokeswoman says. "The PPOC IT infrastructure is distinct from the hospital's infrastructure; there was no impact to the Boston Children's Hospital systems."
PPOC uses an electronic health record platform from Epic Systems Corp.
When asked if the malware attack was directly responsible for the system disruption, or if the outage was intentional while IT teams work to contain and remediate the situation, the hospital's spokeswoman said: "The attack was detected late Monday afternoon around 3:30 p.m. The combined PPOC and Boston Children's Hospital IT teams worked swiftly to shut down the network to quarantine the affected PPOC systems and secured the unaffected ones to ensure no further impact."
The organizations' combined IT teams "are making progress to restore the systems," she added. "The affiliate offices are not cancelling appointments or closing offices. They continue to see patients for both sick and well visits. Families are being told that if they would prefer to cancel and reschedule they can."
As of Thursday, however, some of the PPOC practices affected by the incident had statements posted on their websites advising patients and their families of the outage - which affects the electronic records system and patient portals - and its impact on patient visits.
" Since Monday, the electronic medical record system that we use to schedule appointments and manage our patients' medical information has been offline as the result of a malware attack," says a statement on the website of Chestnut Hill Pediatrics. "While the Boston Children's and PPOC information technology teams are working in concert to restore our system, for the security and privacy of our patients and their families, we will be keeping the system offline until we can be completely certain that it's safe to bring it back online.
"In the meantime, we are scheduling only same-day urgent/sick visits in our office and are rescheduling many well visits and follow-ups. We currently cannot access your child's medical record - including immunization history, medications, growth charts, medical history, etc. Unfortunately, prescription refills and referrals will likely take longer than usual."
Back to Paper
Roslindale Pediatrics, another affected PPOC practice, notes on its website: "We are still trying to make appointments and taking messages over the phone and using pen and paper to see our patients."
Because the practice does not have full access to its schedules, "we will not be able to book future appointments until it is up and running again," the website notes.
"Due to the lack of access to our patient's' charts, any prescription or other medical requests may have a delay, and we apologize for this inconvenience. If you have an appointment booked please be patient as we check you in without access to our electronic medical records."
The office manager of one PPOC clinic, who asked not to be identified, told ISMG that due to the outage, the practice was also unable to electronically send patient information and orders to other healthcare entities not affiliated with Boston Children's Hospital and not part of the PPOC network.
The Boston Children's Hospital spokeswoman declined to provide further details about the incident.
When a malware attack hits a large organization, the impact can be widespread and the containment and remediation efforts can be disruptive, security experts say.
"If an attacker can gain a foothold in one segment of a larger, interconnected healthcare provider network, it can potentially result in the compromise of other networks."
—Luke Willadsen, EmberSec
"Whether this network of pediatric practices was targeted because of its broad connectivity to other networks, or this [widespread outage] was a bonus, the impact is very serious," says Kate Borten, president of privacy and security consultancy, The Marblehead Group.
"The Boston area is particularly vulnerable since there are so many medical schools and teaching facilities with overlapping patients," she says.
It's likely that some staff at organizations that are not part of PPOC and Children's Hospital are also impacted because they too cannot access the records of patients from affected practices, Borton says. "Their thwarted access to electronic records directly hampers patient care. This breach highlights the healthcare system's interdependence and reminds us of the essential importance of strong security programs in every organization, regardless of size."
Gaining a Foothold
Some security experts note that the situation illustrates the widespread threat a malware attack can pose to healthcare entities.
"If an attacker can gain a foothold in one segment of a larger, interconnected healthcare provider network, it can potentially result in the compromise of other networks. This depends on several variables," says Luke Willadsen, security consultant at cybersecurity services firm EmberSec.
"When smaller healthcare practices are members of a unifying Active Directory forest, if one practice is infected, attackers can potentially leverage Active Directory protocols to infect systems in other members of the Active Directory Forest," he notes. "If several associated healthcare practices rely on shared resources - for example, medical database services - and the shared resource becomes infected, it's possible or all practices that connect to this shared resource to become infected themselves."
Willadsen adds: "Attackers may be able to leverage information gained from one segment of a network to migrate to another. They could masquerade as their victim and send authentic-looking phishing emails from one clinic to another. Or when searching the file systems of their first victim, an attacker could find credentials or the means to gain access to further networks and victims."
Clyde Hewitt, executive adviser at security consultancy CynergisTek says he the risk that the malware infection involving PPOC will spread is "low" because the PPOC network was reported to be isolated from other organizations, even Boston Children's. "Even so, there is a potential that the attackers infected multiple sites and established backdoors prior to the visible attack," he notes.
"While there is no indication of the source or type of attack against PPOC, other organizations should scan for back doors that may be used in the future to infect others," he cautions.
Containing the Damage
Containing an attack and the spread of the malware is key to managing the scope of impact, says Keith Fricke, principal consultant at tw-Security. "Being able to shut off data communications between a known infected site and the larger healthcare system/other clinics is important," he says.
In many cases, access can be disabled electronically and remotely, depending on the architecture of the data network, he adds.
"Small clinics tend to outsource IT support services. Therefore, the speed of response necessary to segment the clinic's network from other connected facilities depends on how quickly their vendor can respond. That does not include the time required to triage the initial problem that leads to the conclusion a malware attack is at play and needs to be quarantined."
Also, when a prominent healthcare organization is attacked, other entities - affiliated or not - in a region can also be impacted, he notes.
"Information sharing is critical," Fricke notes. "Knowing that other healthcare organizations in the region are experiencing malware incidents - and what they are seeing - helps everyone be on the lookout for indicators that the infection is active in their own organization."
A common attack vector for malware propagation is email, Fricke adds. "It is likely these clinical practices exchange email messages regularly. Any restricted ability to share patient data electronically is situational, based on the payload the malware delivers and the scope of the malware infection," he says.
"Shutting off infected computer workstations is the best initial response until an IT person can analyze it. Shutting down multi-user systems, such as an EHR system, requires leadership decisions first, as shutting down systems impacts patient care. If the malware is spreading via email, IT can look at all users' email inboxes for unread messages that may contain infected attachments and delete them."
Another key practice to help prevent malware or other attacks from spreading is data mapping for all applications and business units - and updating this mapping regularly, notes Susan Lucci, a senior security and privacy consultant at tw-Security.
"When data is mapped, you can identify data sources that are sending or receiving only and which data is bi-directional," she notes.