By EHRA Privacy & Security Workgroup
The ER was bustling with a full cast of colorful characters, as it always is on Halloween, when creepy messages started appearing on every single device:
While it was difficult to deliver care without access to medication schedules, allergies, and histories, the nighttime staff members were used to downtime and somewhat easily transitioned to paper procedures because every month IT took systems offline for important security patches during their shift.
But then the phones started ringing – robocall after robocall – tying up the phone lines and adding to the stress of the staff. Administrators tried to contact additional staff to ask them to come in and help, but discovered their call lists were also encrypted. Email was also down. Younger staff were enlisted to run back and forth between the various hospital floors and the lab and the pharmacy since electronic orders were no longer possible. News of the attack quickly spread to local news as staff and patients posted it on Facebook.
IT staff worked to contain the infection. The security incident response team arrived on site quickly and was able to track down how the malware got in, and how far it had spread. It turned out that the attackers had located the backup server and encrypted it too. Recent backup drives that were connected to the network were also encrypted.
When the hospital contacted the FBI, they were given critical insights about this specific group of hackers – a sophisticated organized crime group based out of Eastern Europe. Paying the ransom would probably get the files back, but it would serve to embolden the criminals to continue inflicting damage to hospitals.
The hospital CEO posted a heartfelt message about how much the hospital cares about the safety and health of their patients, but the local news featured an interview with someone who said, “If they really cared, they would have prevented this. How can they care for me without access to my records?”
Yes, this is a fictional attack, but all of the elements of this story are based on real life ransomware attacks experienced by hospitals in the past year.
Lessons Learned From Affected Organizations
Henry Ford said, “the only real mistake is the one from which we learn nothing.” Hospital ransomware attacks have a lot in common, offering hard-won knowledge you can learn from, and take action.
What we’ve learned: Attackers often strike on a holiday, on a weekend, and in the middle of the night.
What you can do: Be vigilant. Security monitoring needs to be 24x7x365. Consider outsourcing monitoring to a Managed Security Service Provider (MSSP).
What we’ve learned: Malware spreads through the entire network and encrypts everything at the same time.
What you can do: Develop a clear incident response plan. Quick action is necessary. Shut down or isolate critical systems quickly; clear messaging needs to be delivered to staff as well.
NIST Special Publications:
-
- SP 800-61 – Computer Security Incident Handling Guide
- SP 800-86 – Guide to Integrating Forensic Techniques into IR
- SP 800-184 – Guide for Cybersecurity Event Recovery
What we’ve learned: Backups, email, and phone systems are frequent targets.
What you can do: Protect these critical systems by isolating them physically and digitally from the rest of the network. Use multi-factor authentication for access where possible. Follow the 3-2-1 backup rule.
What we’ve learned: Denial of service attacks — on phone lines and/or computer systems — may be used as a distraction for the main attack.
What you can do: Stay informed — work with the Security community to stay abreast of current threats and tactics. Engage with your ISP (Internet Service Provider) and your Telecommunications provider to learn about strategies for handling attacks.
What we’ve learned: Don’t expect to be able to contain news of the attack. Damage control is difficult and needs to be thought out in advance — the media can be brutal.
What you can do: Collaborate proactively with your executive, legal, and business unit leaders to prepare a security incident response plan to guide next steps in the event of an incident.
What we’ve learned: Security incident response firms and law enforcement — particularly the FBI — have been the most important keys to recovery.
What you can do: Developing a proactive relationship with security experts is essential. They’re not only able to offer advice on cybersecurity best practices to help prevent an attack, but will be able to support your team’s recovery process should malicious hackers find a way to attack your system anyway. InfraGard is a partnership between the FBI and the private sector.
What we’ve learned: Whether or not to declare a breach to the HHS Office of Civil Rights is complicated if you don’t have good forensic information about the attack.
What you can do: Work closely with a security incident response firm in advance to make sure that your logging capabilities will be adequate, and that logs are appropriately protected from tampering.
What we’ve learned: Attackers penetrate networks in advance of the actual attack, in order to gather information that makes their attack more effective.
What you can do: Consider proactive “threat hunting.” When you notice suspicious activity, don’t assume that you’ve contained it simply because you cleaned up an infected workstation. Educate all staff — especially privileged administrators — on the importance of “see something, say something.”™
What we’ve learned: Time to recover affected systems is critical in determining the business impact of an event.
What you can do: Make sure your backups work — validate them, test them, work closely with backup providers to ensure that you can restore easily in an emergency. And then store them separately from the primary record system.
Unfortunately, experts know that even careful adherence to cybersecurity best practices can’t guarantee impenetrable systems. but that’s not an excuse to throw up your hands and give up. Every additional step you take today to prepare for potential cyberattacks not only reduces your risk, but it increases the likelihood of a swift recovery in the event you are victimized.
EHRA Blog 
4 Comments