Latest US Healthcare Ransomware Attacks Have Harsh ImpactIn Worst-Case Scenarios, Patient Care Directly Affected
UPDATE: DCH Health System issued a statement Oct. 10 saying that its three hospitals have resumed offering services and taking patients in their emergency departments. "Essential electronic systems related to patient care have been restored, allowing DCH to begin receiving patients. DCH's IT department continues to restore certain nonessential systems, including the email system, and they are working to fully optimize systems to their speed and functionality before the cyberattack. We do not have a timetable for when all systems will be fully optimized."
A recent rash of ransomware attacks in the U.S. healthcare sector shows the serious disruptions these assaults can pose - including temporarily, or even permanently, stopping patient care.
For example, Wood Ranch Medical a small clinic in Simi Valley, Calif., has announced it plans to close because it cannot recover access to any of its records as a result of a ransomware attack.
And on Oct. 2, a ransomware attack forced Tuscaloosa, Alabama-based DCH Health System to temporarily stop admitting most new patients at its three hospitals. But by Oct. 5, DCH acknowledged that it paid a ransom to obtain a decryption key from attackers to restore access to locked systems.
Meanwhile, Campbell County Health, which includes Campbell County Memorial Hospital, a 90-bed area trauma facility in Gillette, Wyoming, is still slowly recovering from a ransomware attack last month.
But in another recently revealed incident, Sarrell Dental, an Anniston, Alabama-based not-for-profit organization that provides dental and optical services to children, says it was able to rebound from a ransomware attack that potentially exposed data on more than 391,000 individuals.
And healthcare organizations in other nations are also being targeted.
Medical facilities and hospitals across the state of Victoria in Australia were infected by file-encrypting ransomware on Monday, causing the shutdown of patient booking systems and financial systems (see Australian Medical Facilities Hit by Ransomware).
So Now What?
To mitigate the risks posed by ransomware attacks, organizations must be proactive and carefully plan ahead.
"With ransomware attackers actively searching for and encrypting backups, it isn't enough anymore to have good backups," says Eddie Chang, vice president of cyber risk management, bond and specialty insurance, at cyber insurer Travelers. "Now it is critically important to back up data to an off-site location, perhaps in the cloud, or to a segregated part of the network with very strong access controls.
"But we have seen ransomware attackers watch for backup servers to be connected to a victim's network, and then encrypt the backup server. Businesses need detailed recovery processes in addition to secure, off-site backups."
In announcing Sept. 18 that it plans to permanently shut down, Wood Ranch Medical said a ransomware attack encrypted the practice's servers containing patients' electronic health records, as well as its backup hard drives.
"Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records," according to a statement from the clinic's owner, Shayla Kasel, M.D.
"We will be closing our practice and ceasing operations on Dec. 17. As much as I have enjoyed providing medical care to you, I will not be able to attend to you professionally after that date," Kasel says in the statement.
The clinic reported the incident as affecting about 5,800 individuals, according to the Department of Health and Human Service's HIPAA Breach Reporting Tool website listing health data breaches impacting 500 or more individuals.
Wood Ranch Medical did not immediately respond to an Information Security Media Group request for additional information about its ransomware attack and the impact - and whether it considered paying a ransom to recover its records.
DCH Health System Attack
In a statement released Oct 2, DCH Health System explained why it was temporarily ceasing the acceptance of new patients at its three hospitals.
The hospitals, the statement says, "have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available. That said, we feel it is in the best interest of patient safety that DCH Regional Medical Center, Northport Medical Center and Fayette Medical Center are closed to all but the most critical new patients. Our staff is caring for the patients who are currently in the hospital, and we have no plans to transfer current patients."
Local ambulances have been instructed to take patients to other hospitals. Patients who come to DCH emergency departments may be transferred to another hospital when they are stabilized, the statement noted.
But in an Oct. 5 update on the DCH website, the organization said it had decided to pay a ransom to decrypt locked systems.
"In collaboration with law enforcement and independent IT security experts, we have begun a methodical process of system restoration," DCH says.
"We have been using our own DCH backup files to rebuild certain system components, and we have obtained a decryption key from the attacker to restore access to locked systems. ... We cannot provide a specific timetable at this time, but our teams continue to work around the clock to restore normal hospital operations, as we incrementally bring system components back online across our medical centers. This will require a time-intensive process to complete, as we will continue testing and confirming secure operations as we go."
A DCH spokesman declined to disclose to Information Security Media Group the amount of the ransom paid to the attackers.
As of Oct. 7, the three hospitals were still accepting few new patients while most departments were still using paper records, awaiting DCH's electronic health records to be back online. "The 'connections' and 'bridges' to all our systems were essentially blown up by the attack," the DCH spokesman says. The ransomware attack "had the effect of a 'denial of service' attack where systems couldn't talk to each other."
Systems are slowly "getting stood up" again, but in the meantime, patient care is limited until digital systems are working again. Although DCH is not sure exactly when it will be fully operational, systems are "ramping up," he says.
The attack on DCH comes on the heels of a Sept. 20 ransomware attack that as of Wednesday was still impacting patient services - including outpatient radiology - at Campbell County Health (see Ransomware Attack on Rural Hospital Disrupts Services).
Sarrell Dental Attack
Some other healthcare organizations, however, have been able to bounce back after ransomware attacks.
For example, Sarrell Dental says it was able to recover from its July attack after closing its practice offices for two weeks while rebuilding its impacted business systems.
The dental practice reported to HHS that the attack affected the protected health information of more than 391,000 individuals.
In a statement on its website, Sarrell Dental reports that it did not pay a ransom to recover its data. "To protect health information in the future, we rebuilt our business systems with updated security and virus protection for the entire Sarrell network before reopening our practice," the statement says.
Sarrell's investigation into the incident did not find evidence that any files or information were copied, downloaded, or removed from its network. "However, we cannot rule out the possibility that data was compromised," the statement says.
A Sarrell spokesman tells ISMG that in the wake of the ransomware attack, it rebuilt its business systems with updated security and virus protection before reopening its practices. "Our network and systems are monitored with upgraded capabilities to ensure that our system and the information we store will remain secure," he says.
Potential for Severe Impact
Commenting on the surge in ransomware attacks in healthcare, Traveler's Chang says: "In general, medical practices and healthcare entities are no more or less likely to be hit by ransomware than other comparable businesses. However, there are factors that can make the impact on a healthcare entity more severe."
Many ransomware attackers are no longer making identical ransom demands across the board, he says. "Instead, once they access a business, they will evaluate it and set a ransom based on what they think the business can pay. When ransomware attackers see a doctor's office, law firm, or other professional organization, they will often set a relatively high ransom in the belief that more money is available."
The second significant factor is that doctors, lawyers, and other professionals often cannot survive without recovering their files, Chang adds. "Whereas a small business may be able to limp along with reconstructed systems and data, that may not be a viable option for a medical practice that has lost all of its patient records."
The cost of responding to a ransomware incident - whether from paying the ransom, hiring digital forensic experts or both - can be too high for some healthcare entities, Chang points out.
"Ransomware attackers have an incentive to set a ransom demand that the victim can and will pay, but it's often too high. In those cases, if the victim is not able to negotiate a reduced ransom demand, it may have few alternatives."
Steps to Take
So what are the most important steps that healthcare organizations can take to minimize the potential impact of a ransomware attack?
"The first and most important step a healthcare entity can take to protect against ransomware is to conduct a thorough assessment of its security controls, its backup and business continuity capabilities, and its insurance coverages," Chang says. "After doing that, a business will better understand what needs to be done to protect against a potentially damaging ransomware attack."
Chris Dawson, threat intelligence lead at security vendor Proofpoint, recommends that healthcare organizations implement layered security defenses with up-to-date endpoint and network protections and regular patching regimens for applications and operating systems.
"End user education and training programs can also help users respond appropriately if they are infected, and regular backups can mitigate the impact of infection if it does occur," he adds.