Ransomware Attack Leads to Discovery of Lots More MalwareMissouri Clinic Finds Computers 'Loaded with Malware'
A family care clinic in Missouri says those investigating and mitigating a recent ransomware attack discovered that its systems were "loaded with a variety of malware programs."
"It is not uncommon for a thorough forensics investigation to find other issues across a computer environment - that will range from unpatched systems to malware to open ports," says David Finn, a former healthcare CIO who is now executive vice president of the security consultancy CynergisTek.
"The computer vendor and a separate forensic computer vendor hired on that same day began the investigation and recovery process," the statement notes. "The investigation found indications that unauthorized persons had compromised the Blue Springs computer systems and loaded a variety of malware programs, including the encryption program responsible for the ransomware attack."
The investigation concluded the unauthorized persons would have had the ability to access all of the Blue Springs computer systems, the clinic notes. "However, at this time, we have not received any indication that the information has been used by an unauthorized individual."
The U.S. Department of Health and Human Service's HIPAA Breach Reporting Tool website, or "wall of shame," indicates that Blue Spring on July 10 reported the breach as a hacking/IT incident involving its electronic medical records and network server that exposed data on nearly 45,000 individuals.
Blue Spring's front desk receptionist, who did not want to be identified by name, told Information Security Media Group Friday that the investigation into the ransomware attack had not yet determined the source of the ransomware attack, the source of the other malware discovered, whether the other malware might have been present on the practice's systems before the ransomware attack, or whether the infections were all part of the same attack.
She said the practice chose to "rebuild" its systems and did not pay a ransom.
The clinic, which has about seven clinicians, notes in its statement that it has taken steps to strengthen its defenses against similar incidents.
"Immediately after discovery of the incident, we engaged a forensic information technology company to assist with quarantining the affected systems and to install software to monitor whether any unauthorized person was accessing the system," the statement says.
"We also deployed new technology to prevent future intrusions, including a new firewall. Most recently, we are transitioning to a new electronic health record provider that will provide encryption of all protected health information."
While the clinic is recommending that individuals impacted by the breach monitor their credit reports and considering putting fraud alerts on their credit reports, it is not offering free credit or ID monitoring, the receptionist told ISMG.
More Questions Than Answers?
Blue Spring's breach notification statement "raises more questions than it answers," Finn says.
"If they found that attackers - or in their words 'unauthorized persons' had 'loaded a variety of malware programs' it is likely that this represents prior attacks," Finn says.
"We are seeing ransomware used more and more as a decoy for other types of attacks, and that may be the case here. Or even vice versa, the ransomware was part of the [attacker's] exit strategy; they had been exfiltrating data for some time and didn't want that found out so they placed the ransomware - that always gets everyone's attention."
Based on the clinic's description of the incident, Finn says, "it sounds like the 'unauthorized persons' would have had pretty much unbridled access to just about everything, so ransomware may have been the last step to get out rather than the way in which it is usually how it is used. It doesn't make sense to load multiple malwares if you have a specific target or objective in mind."
A thorough forensics investigation following a breach often leads to the discovery of other issues, Finn says.
"It may have been malware that wasn't designed to operate in that environment or had some trigger event that never happened or simply failed," he says.
Other times, some steps fall through the cracks, such as someone mistakenly thinking patches were applied or open ports disabled, when actually they weren't, he notes.
"I've even seen infected machines pulled from the network for clean-up, moved to a storage area and someone in need of a replacement or new device re-deploys the infected machine unknowingly," he says.
"We've seen firewalls turned off for maintenance or reconfiguration and they were not then re-implemented or turned back on."
Tom Walsh, president of consulting firm tw-Security, notes that some studies have shown that it often takes more than 100 days for organizations to detect a hack.
Unfortunately, "often the audit logs for the EMR and/or the IT infrastructure are only examined when there is an issue."
—Tom Walsh, tw-Security
"Often the audit logs for the EMR and/or the IT infrastructure are only examined when there is an issue," he notes. "Also, it has been my experience that to save money on memory storage, most clinics and physician practices are not retaining audit logs for a long enough period to detect a trend spanning over 100 days or more. Often the audit logs are overwritten about every 30 days."
Without reliable audit logs and review, "there is no telling how much malicious code is loaded on computers and servers. Once there is an issue and a more thorough investigation is conducted, there are discoveries made of additional malicious code," Walsh says.
Mitigating Ransomware Threats
Ransomware attacks have plagued the healthcare sector. Others hit by ransomware in recent weeks include Allied Physicians of Michiana, a multispecialty practice based in South Bend, Indiana with about 50 clinicians, as well as medical laboratory testing firm LabCorp and EHR vendor Allscripts.
What can organizations do to avoid being the next victim?
"Unfortunately, a lot of healthcare organizations still believe that it won't happen to them - 'we're not big enough; we're not in a big city; we don't have VIP patients'," Finn says. "It will happen to you if you connect to the internet, and most of us don't think about how nor how often we do that."
Many organizations buy tools, implement technology and automate security functions and then mistakenly assume they're safe, Finn says.
"Those tools are only the beginning of the process," he stresses. "You have to master them, integrate them into the business and functions, and, more importantly, those tools have to updated and monitored continuously." Plus, staff must be trained as members of the team leave, or the tools change, or how the tools are used changes, he notes.
Walsh says organizations need to take several critical steps:
- Create an audit log strategy that includes log retention schedules as well as copying and securely storing logs to prevent a hacker from erasing the logs;
- Proactively monitor certain user behavior or activities through audit tools or some type of security monitoring service;
- Implement a next-generation firewall;
- Educate users about not clicking on hyperlinks and opening attachments;
- Restrict user access to the internet, and block access to personal webmail;
- Limit local administrator rights.
Walsh notes that clinics tend to outsource their IT - including EMR and IT infrastructure support - because they do not have in-house expertise.
"The IT support staff are limited in the services they can provide because the clinic owners don't want to spend the money needed for securing their IT environment," he says.
Finn adds: "Detecting [security] events is kind of a moot point if you haven't identified what needs to be protected. And if you don't have a good response and recovery program, all that other work may be for naught" when the inevitable breach occurs.