Clinic Pays Ransom After Backups Encrypted in AttackSituation Spotlights Tough Decisions Healthcare Entities Can Face After Ransomware Strikes
A small Missouri clinic admits paying a ransom to unlock data after a ransomware attack in August encrypted patient data on a file server, as well as backups. The incident spotlights the dilemmas healthcare organizations can face after a ransomware attack if they're not well-prepared.
See Also: Ransomware: The Look at Future Trends
In an Oct. 13 statement, Namaste Health Care in Ashland, Missouri, a clinic with one physician and two other clinicians, reveals that during the weekend of Aug. 12-13, "an unknown cyberattacker gained improper access into Namaste's computer systems and appears to have remotely accessed Namaste's file server."
The cyberattacker "appears to have not only accessed and potentially viewed information contained on that file server but also then launched a ransomware virus/attack on the file share server, which resulted in the encryption of Namaste's data that was housed on that server as of Aug. 14," the clinic says.
Upon learning of the attack on Aug. 14, the clinic says it immediately "disabled the unauthorized user's access and took the computer systems offline, and with the assistance of our IT contractor, we worked to investigate, eliminate and remediate the malware attack on the systems."
The clinic says it "terminated any further remote access permissions pertaining to the system, and we then subsequently paid the cyberattacker's ransom demand in order to obtain the decryption key and restore the encrypted data."
Namaste's office manager, who asked not to be named, tells Information Security Media Group that the clinic had backups, but those were encrypted in the attack as well.
"We could've rebuilt [our systems] but that would've taken three or four weeks," disrupting care delivery, she says. By paying the ransom and then using the decryption key provided by the extortionists to restore systems and recover all data, Namaste limited the disruption to "only about a day-and-a-half," she adds.
"We were back running a day after we got the de-encryption key," she says, declining to reveal the size of the ransom.
The IT firm assisting Namaste in the remediation told the clinic its files were encrypted using a "lock extension," the clinic's office manager says.
Namaste appears to have experienced a problem often faced by other organizations. "It is not uncommon for backups to also be subject to ransomware," says Kate Borten, president of privacy and security consulting firm, The Marblehead Group.
"This situation is avoidable," she says. "The purpose of backups is to enable recovery, not just from a minor blip in a system, but also from a major event such as a natural disaster or a ransomware attack. Backups should be separated from their source, whether on physical media stored at a distance or in the cloud."
Data at Risk?
Although Namaste in its statement says it did not find any specific evidence to indicate that any data was transferred or exported to any remote location by the cyberattacker, "we have been unable to definitively conclude that [the attacker] did not access and view some amount of the data on its systems."
As a result, the clinic reported the hacking incident as a data breach affecting 1,617 patients, notifying the Department of Health and Human Services as well as several states' attorneys general, the office manager says.
Potentially compromised patient data includes name, address, date of birth, Social Security number, medical record number, health insurance information and information relating to the reason for clinic visits and appointments, Namaste says in its statement.
The clinic, however, did not report the incident to law enforcement, the office manager says.
Law enforcement agencies, including the FBI, advise organizations against paying extortionists in ransomware attacks because there is no guarantee the attackers will turn over a decryption key after receiving payment. Plus, paying the cybercriminals can encourage more attacks.
But some healthcare entities can't afford long disruptions to patient care, so they choose to pay the ransom in hopes of a quick recovery of data (see Ransomware Hits Hospitals).
"How long it takes to recover a backup depends on two key things: how much data has to be restored and the source of the restore," says Keith Fricke, principal consultant at tw-Security. "Ransomware that encrypts thousands or tens of thousands of files on network file shares can take 12 to 16 hours or more to recover. If the restore is from tape backup, that takes longer than restoring from a replicated disk-to-disk backup."
Still, it may take just as long to recover encrypted data by purchasing the decryption key because the ransom has to be paid by digital currency such as bitcoin, Fricke notes. "If the organization is not set up for bitcoin transactions that can take several days to get in place," he says.
In some cases, organizations' backups are run on a schedule and don't necessarily reflect the most up-to-date data, some experts note.
In other cases, backup systems "can fail to restore as they are expected. It is important that IT departments test the viability of their backups and run tests to ensure they will function as they are supposed to," says Susan Lucci, senior consultant and chief privacy officer at security consulting firm Just Associates. "This may be a potential reason why some organizations opt to pay the ransom."
Typically, ransomware encrypts all that is available on the system or network it's running on, says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
Because Namaste indicates that its backups also got encrypted by the ransomware, "that tells me they had their backups either on or attached to the network," Herold says. "Or, they may also have made their backups recently, which would be connected to the network while the backup is occurring, in between the time the ransomware was delivered/loaded onto the network and the point in time when the ransomware trigger launched the encryption."
Backups should never be connected to the network, except for the time in which the backups are made, Herold stresses. "And during that time, it is best for the network to not be connected online or to other networks," she adds.
Still, Namaste's estimate that it would have taken the clinic three to four weeks to restore its access to data had the clinic not paid the ransom "is excessively long," Herold contends.
"This tells me that they must be using a business associate or contracted firm to do their disaster recovery/data restoration, and it must be that long of a wait for them to get the vendor to do the work. This is an unacceptably long time to wait for data and systems recovery."
Good security practices - and the HIPAA Security Rule - call for periodic testing of an organization's processes for restoring its systems where PHI resides, Borten notes.
"The HIPAA rule also calls for a system criticality assessment. For business continuity purposes, a clinic may not need as rapid a recovery as a hospital or inpatient facility, but being without its ePHI for three to four weeks could significantly affect patients and the business."
But in some cases, including the attack against Namaste, backups aren't much help if they're encrypted by the malware attacks.
"Backups can be encrypted if the ransomware encrypts data on file shares that then get backed up," Fricke says. "This speaks to needing archived backups so you can go back further if needed."
To Pay, or Not to Pay
While some organizations might be tempted to pay ransoms to speed recovery, paying exortionists remains relatively rare, says attorney Jay Kramer, a former FBI agent specializing in the healthcare sector who's now a partner at the law firm Lewis Brisbois.
"Increasingly, we are seeing resistance to paying ransom demands, and that is likely a function of the frequency with which administrators are dealing with attacks on their networks - they're simply becoming better at assessing, identifying and remediating threats."
Still, under certain circumstances, especially when patient care is implicated, healthcare organizations have to make a difficult choice, he acknowledges. "On the one hand, they need access to data critical to patient care, and on the other hand, they know that paying a ransom will fuel and encourage criminal activity, and likely a criminal enterprise. The key is preparedness, and if the organization has not prepared to quickly mitigate the incident, they may be left with only one choice."
Kramer emphasizes that organizations "need to employ backup systems that allow multiple iterations of the backups to be saved. This will allow them to retrieve critical data in the event one copy of the backups is encrypted or infected. Also, routine testing of backups needs to be performed to insure data integrity."
Taking Security Steps
In its notice, Namaste says that in the aftermath of the incident, it has taken steps "to further evaluate and address any potentially similar cybersecurity issues moving forward."
That includes upgrading its computer systems, firewalls and remote access technology.
"Additionally, we continually review and update our policies and procedures regarding data privacy and security and have updated the security of our computer systems. We believe that our ongoing efforts will help minimize the risks of future events that could compromise this type of data," the clinic says in its statement.
The clinic is offering affected individuals 12 months of free credit and identity monitoring.