Attackers Demand $14 Million Ransom From IT Services FirmIncident Could Have Ripple Effect on Virtual Care Provider's 110 Healthcare Clients
Virtual Care Provider Inc., which provides cloud hosting and other services to more than 110 healthcare entities, including nursing homes and assisted living facilities, is struggling to bounce back from a ransomware attack in which hackers demanded a $14 million ransom.
In a Nov. 18 letter to its clients, the Milwaukee-based company says it was attacked on Nov. 17 with Ryuk ransomware that was spread by the TrickBot virus.
Addressing its efforts to restore services after the attack, the company says: "We don't currently have an estimate of the time necessary for this work effort, as it will be based on the number of affected servers. We are prioritizing servers that provide Active Directory access, email, eMAR [electronic medication administration records system], and electronic health records applications."
News blog Krebs on Security reports that the attack has affected nearly all of VCPI's core offerings, including internet service and email, access to patient records, client billing and phone systems, and even the firm's payroll operations that serve nearly 150 company employees.
VCPI's owner, Karen Christianson told Krebs she fears this incident could lead not only to the closure of the IT services provider, but also some of its clients.
That's because VCPI cannot afford to pay the nearly $14 million bitcoin ransom attackers are demanding. Plus, some clients will potentially be unable to process Medicaid billing for December payments, Christianson told Krebs. In other cases, some facilities can't process patient medication orders, she told the blogger.
VCPI did not immediately respond on Monday to Information Security Media Group's request for more information about the attack and the status of the company's recovery efforts.
In the Nov. 18 letter to its clients, VCPI noted that it was quickly alerted by its monitoring systems "to the spreading of this virus, and we officially invoked our documented incident response and management process." VCPI also notes that it contacted its cybersecurity insurance policy provider, Beazley, and then was connected to a third-party security consulting firm to work on restoration of VCPI's systems.
Krebs reports that VCPI clients routinely access their records and other systems outsourced to VCPI by using a Citrix-based virtual private networking platform. VCPI says restoring customer access to this functionality, including access to their EHRs, is its "top priority" right now, according to the blog.
High Ransom Demand
Attorney Jason G. Weiss of the law firm Drinker, Biddle and Reath - a former FBI special agent and forensics expert - notes that the $14 million ransom demand against VCPI "seems exceptionally high for this type of event."
"It appears that the attacker here believes that they have the victim in a 'must pay' situation or they risk losing their business," he says. "This is beyond difficult for the victim - especially as it relates to healthcare providers who work in a life or death situation every day."
In recent months, the healthcare sector has been plagued by ransomware attacks - some of which have had a devastating impact.
For instance, in September, Wood Ranch Medical, a small clinic in Simi Valley, Calif., announced it plans to close by year-end because it cannot recover access to any of its records as a result of an August ransomware attack (see: Latest U.S. Healthcare Ransomware Attacks Have Harsh Impact).
Even in those cases where an organization is able to recover from a ransomware attack using backups, there's no guarantee that all the organization's data will be restored (see: Latest Ransomware Attacks Show Diversity of Victims).
Ransomware attacks that target vendors serving a large number of healthcare clients can have a particularly big impact.
For instance, an August ransomware attack against West Allis, Wisconsin-based cloud services provider PerCSoft affected hundreds of dental practices across the U.S. (see: Ransomware Attack Impacts Hundreds of Dental Practices).
And earlier this year, Doctors Management Services, a West Bridgewater, Massachusetts-based medical billing services firm, revealed that a GandCrab ransomware attack affected 38 of its clients and 207,000 of their patients.
Doctors Management Services was able to recover from the ransomware attack through using backups and did not pay a ransom.
"Losing access to patient records because of a cyber incident is a worst-case scenario that can have life-or-death consequences, so avoiding that should be a high priority."
—Eddie Chang, Travelers
And an attack in June 2017 on medical transcription services firm Nuance involving NotPetya ransomware disrupted services to some clients for weeks.
"The numbers show a dramatic increase in ransomware attacks in just the last year, and the number one target of ransomware attacks is the healthcare industry," Weiss notes. "The time to prepare yourself is now. ... It is never too early to prepare yourself from these types of attacks."
Organizations must ensure that their IT infrastructure defenses are current, active and properly monitored, he stresses. "Additionally, it is always wise to turn off all ports and services your business doesn't need," he adds.
Of course, it's also critical for entities to train their employees on how to avoid social engineering attacks, such as phishing emails, which often are the first step toward allowing ransomware into the network.
"There is no 100 percent solution to fully protecting your network as long as there are people using it, but you can better protect your network and your business by training your employees to avoid common social engineering attacks that lead to the spread of attacks like ransomware," Weiss says.
Managing Vendor Security Risk
Healthcare providers that manage their own IT departments have more control over their fate than those that rely on third-party vendors, says Clyde Hewitt, executive adviser at security consultancy CynergisTek. "Unfortunately, that option will cost more - and that assumes they can even find qualified security staff to manage their systems. For most smaller providers, this is not a viable option at this point."
Too many organizations assume that they won't ever become a cyberattack victim, says Eddie Chang, second vice president of cyber risk management at the insurance firm Travelers.
According to the 2019 Travelers Risk Index, the number of small businesses that have experienced a data breach or other cyber event has jumped 200 percent since 2015, he notes
"One of the most common mistakes companies make is to think they can eliminate their cyber risk just by outsourcing their IT," he says. "When a business uses a vendor to provide a critical IT service, it's important for the business to look beyond the marketing and really understand how that service is being provided and how the business's data is being protected."
Properly backing up important data can allow a healthcare entity to remain operational even if its IT provider suffers a crippling cyber breach, he notes.
"Losing access to patient records because of a cyber incident is a worst-case scenario that can have life-or-death consequences, so avoiding that should be a high priority," Chang says. "Many ransomware attackers are targeting backup files and servers, so using an off-site location, such as the cloud, should be considered as a way to help secure this critical data."
The Ryuk Threat
The attack on VCPI also highlights the urgency for IT vendors to protect all backups, and the systems they reside on, from not only encryption but also destruction, because the Ryuk ransomware has been reported to reformat drives containing backups as well as shadow copies of virtual servers when it could not successfully encrypt them, Hewitt says.
"Healthcare providers may need to resort to keeping a paper copy of the most critical needs, for example, medications lists, but only rely on them in an emergency," he says.
Businesses that rely on third-party providers for critical IT services should be conducting risk assessments, implementing vendor risk management programs and engaging in business continuity planning, Chang adds.
"A risk assessment will help the business understand its exposure to third-party risk, and a vendor management program can help the business control that risk," he notes. "Controlling the risk does not mean eliminating the risk entirely, however, so a business continuity plan is necessary to protect against a service outage - whether due to ransomware or any other unforeseen event."