Background: A threat is unleashed
While receiving high marks on weekly and monthly security reports from its vendors, an award-winning community hospital with a full-service and acute-care facility serving residents in the Northeast experienced a ransomware incident in the middle of the night. A hospital technician launched his VPN and accessed the workstation remotely to discover some unusual files titled “Sorry.” When clicked, the files triggered an alarming message: “Your systems have been compromised. Follow these instructions.”
When the incident was detected, the hospital’s incident response plan, activated to alert hospital leadership and response teams that the core information for their electronic medical record (EMR) systems needed for business operations including telephony, was down. This severely restricted physicians, patients and caregivers in contacting the hospital.
The hospital staff soon realized how dependent they were on the affected systems, and how debilitating a widespread security incident could be. In addition to traditional information technology systems and data, the incident affected elevators, badge swipes, the operators’ console, emergency medical services (EMS) integrations, faxing, paging and visitor call routing.
Within the first hour, an incident response team had assembled. The hospital’s disaster preparedness and recovery team designated runners to carry an ad hoc forms between three different areas to coordinate communications. All functions of the hospital, including operators, emergency department, paramedics and EMS needed to be managed without phone service.
The IT team quickly called on anyone with a Wi-Fi access point and used the cellular network to access the community health record and hosted EMR system. They collected new and reimaged laptops and Wi-Fi-enabled devices to access patients’ diagnoses, scheduled exams and drug dosages. No patients were rescheduled, though significant needs had to be diverted. Nearly every server and data on most work stationshad been encrypted. In total, 50% to 80% of system data was compromised by this ransomware attack. The hosted EMR system had not been compromised by ransomware though access to it had been disabled as a matter of greatest priority.
How it happened
Upon launch, the ransomware defeated the hospital’s anti-virus software. Following that, the hospital’s backup system was incapacitated, affecting confidential patient, business and operations data as well as personal computer and shared workstation profiles.
Immediately, cybersecurity insurance was contacted to engage outside resources who would assist in managing the incident. This third-party team searched for the attack origin and followed the compromise. The hack exploited remote access capabilities, a boon for most physicians. Remote access to patient data offers many benefits but also many security challenges. It presents an additional attack channel to patient data; thus, it deserves an additional level of security that was not in place before the incident.
Attackers lurked in the hospital’s systems for over 24 hours before the hack, planning their attack. Once they found an administrator account they could use, they escalated their privileges, and pivoted quickly from system to system. Luckily, no data was accessed or acquired, only corrupted or encrypted. Because this hospital had not fully investigated all attack vectors and risks to patient data, it could not see that this scenario was a possibility until it was too late.