Ran­som Notes

Hos­pi­tal’s re­sponse to ran­somware pro­vides valu­able lessons.

Health Data Management - - INSIDE FEATURES - By Greg Sla­bod­kin

At­tack on a Level 1 trauma cen­ter of­fers crit­i­cal pre­pared­ness lessons.

It was a Sun­day morn­ing like any other in the emer­gency depart­ment of Erie County Med­i­cal Cen­ter, a 602-bed hos­pi­tal in Buf­falo, N.Y., and the Western New York area’s Level 1 trauma cen­ter. How­ever, around 2 a.m. on April 9, 2017—Palm Sun­day—a mem­ber of ECMC’s clin­i­cal staff was the first to see an elec­tronic ran­som note on a work­sta­tion. “You must send us 1.7 Bit­Coin for each af­fected PC OR 24 Bit­Coins to re­ceive ALL Pri­vate Keys for ALL af­fected PC’s,” read the note from the cy­ber­crim­i­nals, de­mand­ing the equiv­a­lent of $44,000 in bit­coin cryp­tocur­rency in re­turn for a key to un­lock the hos­pi­tal’s files.

No one “re­ally ex­pects some­thing like this to hap­pen to them and their hos­pi­tal,” says Jen­nifer Pugh, MD, ECMC’s as­so­ciate chief of emer­gency medicine, who was in the ER when the ran­somware hit. She cred­its the quick re­sponse of the med­i­cal staff with en­abling ECMC to man­age the cri­sis.

As the day went on, the hos­pi­tal found it­self en­meshed in a ma­jor ran­somware at­tack.

Ran­somware, used by hack­ers to tar­get all kinds of or­ga­ni­za­tions world­wide, is a type of ma­li­cious soft­ware sur­rep­ti­tiously in­stalled on a com­puter that en­crypts files and then holds the data hostage in re­turn for pay­ment of a ran­som. Af­ter a com­puter’s hard drive is en­crypted, a ran­som note typ­i­cally ap­pears on the user’s screen, de­mand­ing pay­ment for a soft­ware “key,” sim­i­lar to a pass­word, which un­en­crypts the hard drive.

ECMC re­sponded quickly to the at­tack, fol­low­ing a pre-ar­ranged script. To pre­vent the ram­pant spread of the ran­somware, the or­ga­ni­za­tion pur­posely shut down its in­for­ma­tion sys­tems, in­clud­ing an elec­tronic health records sys­tem, email and web­site—among oth­ers.

The staff rec­og­nized the threat al­most im­me­di­ately and within min­utes no­ti­fied se­cu­rity ex­ec­u­tives—who lim­ited the spread of the mal­ware—called in ex­perts to deal with the cri­sis and, soon af­ter, em­ployed a novel work­around for ac­cess­ing pa­tient data.

Ul­ti­mately, more than 6,000 of ECMC’s com­put­ers were in­fected by a com­mon ver­sion of ran­somware called SamSam. To re­cover, the hos­pi­tal would need to metic­u­lously clean the file-en­crypt­ing mal­ware from the hard drive of each com­puter that was hit.

ECMC says pa­tient records were never com­pro­mised dur­ing the in­ci­dent. Even so, the in­ci­dent took six weeks to re­solve and cost mil­lions of dol­lars to fix. Per­pe­tra­tors of the at­tack have not been caught.

The hos­pi­tal’s ex­pe­ri­ence is a cau­tion­ary tale for other health­care or­ga­ni­za­tions, which are reg­u­larly tar­geted by ran­somware at­tacks and may fall vic­tim to sim­i­lar in­ci­dents. The num­ber of re­ported ma­jor ran­somware events tar­geted against health­care or­ga­ni­za­tions in­creased from 19 re­ported in 2016 to 36 re­ported in 2017— an 89 per­cent in­crease in the fre­quency of ran­somware at­tacks—ac­cord­ing to cy­ber­se­cu­rity vendor Cryp­tonite.

“What the ran­somware at­tack at ECMC proved is that ev­ery or­ga­ni­za­tion has po­ten­tial vul­ner­a­bil­i­ties,” says Pe­ter Cut­ler, ECMC’s vice pres­i­dent of com­mu­ni­ca­tions

and ex­ter­nal af­fairs. “What is im­por­tant to em­pha­size and proved crit­i­cal in the ECMC at­tack is quick de­tec­tion of an at­tack and im­me­di­ately tak­ing ap­pro­pri­ate steps to pre­vent wide­spread dam­age to an or­ga­ni­za­tion’s com­puter in­fra­struc­ture.”

De­spite its suc­cess in deal­ing with the at­tack, ECMC has been cau­tious in re­leas­ing in­for­ma­tion about the in­ci­dent— which is not atyp­i­cal for or­ga­ni­za­tions hit with ran­somware, ac­cord­ing to Adam Co­hen, spe­cial agent in charge of the FBI’s Buf­falo Field Of­fice. Co­hen, who de­clined to either con­firm or deny an FBI in­ves­ti­ga­tion of ECMC’s at­tack, notes that of­ten vic­tims of ran­somware keep the de­tails con­fi­den­tial be­cause of con­cerns over pri­vacy, busi­ness rep­u­ta­tion or reg­u­la­tory data breach re­port­ing re­quire­ments.

While ECMC re­leased some state­ments to the press from its ex­ec­u­tives dur­ing and af­ter the cri­sis, the hos­pi­tal de­clined mul­ti­ple re­quests from Health Data Man­age­ment to in­ter­view IT staff and ex­ec­u­tives about the in­ci­dent. It did, how­ever, grant in­ter­views with Pugh, its as­so­ciate chief of emer­gency medicine, and Reg Har­nish, CEO of GreyCas­tle Se­cu­rity, the cy­ber­se­cu­rity firm that man­aged ECMC’s re­sponse to the event.

At­tack time­line

The Sun­day morn­ing of the at­tack, a mem­ber of ECMC’s clin­i­cal staff was the first to see the ran­som note on a work­sta­tion. Alarmed by the mes­sage, the clin­i­cian, fol­low­ing ECMC’s pro­to­col, im­me­di­ately called the fa­cil­ity’s helpdesk, which in turn no­ti­fied the med­i­cal cen­ter’s chief in­for­ma­tion se­cu­rity of­fi­cer.

In re­sponse, ECMC ex­ec­u­tives made the de­ci­sion by 3:30 a.m. to shut down all IT sys­tems—in­clud­ing a Meditech elec­tronic health record sys­tem, email and web­site—in an at­tempt to stop the ran­somware from spread­ing through­out the or­ga­ni­za­tion.

With the EHR out of com­mis­sion, Pugh says, the hos­pi­tal ex­e­cuted an ex­ist­ing con­tin­gency plan and re­verted to us­ing pa­per-based charts and face-to-face com­mu­ni­ca­tion. “We do prac­tice this and pre­pare for it,” she adds. “It in­volves go­ing to pa­per records and pa­per order forms.”

Shortly be­fore 5 a.m., ECMC reached out for help to GreyCas­tle Se­cu­rity, a cy­ber­se­cu­rity firm in Troy, N.Y., which op­er­ates a 24/7 emer­gency re­sponse hot­line, to head up re­me­di­a­tion ef­forts. Within 15 min­utes of that call, Har­nish says his com­pany was in­volved in triage to con­tain the in­ci­dent; he ac­ti­vated a six-mem­ber re­sponse team, who went from Troy to

Buf­falo to man­age the cri­sis on­site.

“That Sun­day morn­ing, when we be­gan triage, cy­ber­crim­i­nals were still ac­cess­ing [the ECMC] net­work,” Har­nish says.

De­spite that ac­cess, med­i­cal records weren’t com­pro­mised and pa­tient care was not neg­a­tively im­pacted, hos­pi­tal ex­ec­u­tives said in pub­lic state­ments. At no point dur­ing the in­ci­dent did ECMC con­sider pay­ing the $44,000 ran­som de­manded by hack­ers, Har­nish adds. “Our ad­vice [to ECMC] never changed, and it never changes with any­one, which is not to pay the ran­som,” he says. “The re­al­ity is that even if you pay the ran­som, there’s no guar­an­tee that it’s ac­tu­ally go­ing to work.”

Like­wise, the FBI doesn’t sup­port pay­ing to re­solve a ran­somware at­tack, says Co­hen. Rather, the agency urges pre­ven­tion as a first step and reg­u­lar data back­ups to re­cover in the event of an at­tack, with re­cov­ery data stored on me­dia that’s not con­nected to the net­work.

While ECMC had reg­u­larly backed up data in mul­ti­ple ways be­fore the ran­somware at­tack, the hack­ers “looked for and deleted all of those backup files that were on­line,” thus com­pli­cat­ing the re­cov­ery process, Har­nish says. As a re­sult, the hos­pi­tal “had to re­sort to older back­ups that were off­line and not con­nected to the net­work,” he adds.

Justin Arm­strong, a se­cu­rity an­a­lyst for Meditech, con­tends that back­ing up data reg­u­larly and ver­i­fy­ing the in­tegrity of those back­ups is crit­i­cal to get­ting EHR sys­tems back af­ter an at­tack.

“Whether to pay [the ran­som] or not is a very in­di­vid­ual thing,” ECMC Pres­i­dent and CEO Thomas Qu­a­troche told The Buf­falo News. “If you have no backup, you have no choice.” By back­ing up its data, the hos­pi­tal en­sured that it did not have to give in to the ran­som de­mand from hack­ers.

Restora­tions and work­arounds

In the hours, days and weeks af­ter the at­tack, ECMC made steady progress in restor­ing its com­puter sys­tems through a mul­ti­phased ap­proach.

With its EHR sys­tem down, ECMC turned to HEALTHeLINK, a re­gional health in­for­ma­tion ex­change in Western New York. HEALTHeLINK pro­vided crit­i­cal ac­cess to some pa­tient records for ECMC clin­i­cians im­me­di­ately af­ter the at­tack. “That be­came a bit of a life­line,” Har­nish says of HEALTHeLINK, a col­lab­o­ra­tive ef­fort started in 2006 by health­care or­ga­ni­za­tions in the Western New York area to share clin­i­cal in­for­ma­tion and make pa­tient records avail­able.

In work­ing around the ran­somware at­tack, HEALTHeLINK served as a source of data backup with the in­for­ma­tion safely stored in the cloud. ECMC was one of the first par­tic­i­pants in the HIE and “has been very pro­gres­sive” in its par­tic­i­pa­tion, ac­cord­ing to HEALTHeLINK Ex­ec­u­tive Direc­tor Daniel Por­reca, even build­ing an in­ter­face to HEALTHeLINK into its Meditech EHR.

“We had in­vested a lot of time and money to up­load all of ECMC’s prior records into HEALTHeLINK—lit­er­ally, up to the mo­ment our com­puter sys­tems were in­ten­tion­ally shut down in the af­ter­math of the at­tack,” says Pugh. “We were able to go and look up prior pa­tient records, sur­gi­cal re­ports, CT scans, labs—ev­ery­thing that we would nor­mally get out of our com­puter screens.”

While ECMC used pa­per records in the first hours of the sys­tem shut­down, HEALTHeLINK helped ECMC im­ple­ment an EHR work­around that en­abled hos­pi­tal staff to use lap­tops with ad hoc In­ter­net ac­cess to view pa­tient records through a web-based por­tal that ac­cessed the HIE’s data­base.

“Very quickly, we had one of our staff on a call to re­set pass­words to en­able ac­cess, and by early Sun­day af­ter­noon, we had one of our staff in the hos­pi­tal work­ing di­rectly with providers as they set up lap­tops to get In­ter­net ac­cess,” says Por­reca. “By Mon­day morn­ing, we had seven peo­ple on­site work­ing in the ar­eas where the lap­tops were be­ing de­ployed and get­ting ac­cess to [ECMC] data via HEALTHeLINK.

“Based on their in­volve­ment with us, ECMC was able to con­tinue clin­i­cal op­er­a­tions al­most im­me­di­ately and to ac­cess their own data by us­ing HEALTHeLINK,”

“The at­tack proved that ev­ery or­ga­ni­za­tion has po­ten­tial vul­ner­a­bil­i­ties.” —Pe­ter Cut­ler

he adds. “We were for­tu­nate to be in a po­si­tion where we could help.”

“Any hos­pi­tal that has the abil­ity to par­tic­i­pate in a health in­for­ma­tion ex­change such as HEALTHeLINK should do so—it was that im­por­tant to us,” con­tends Pugh. “I don’t think our pa­tients even no­ticed be­cause we re­ally tried to pro­vide the same level of care, even with­out use of our EHR.”

Still, some pro­cesses, such as plac­ing or­ders or de­tail­ing care plans, re­quired the use of pa­per and pen, Pugh says. For some clin­i­cians, there were ben­e­fits to go­ing back to these old prac­tices, such as spend­ing more face time with pa­tients and less time in front of a com­puter screen. At the same time, Pugh notes that for some of the hos­pi­tal’s younger staff and med­i­cal stu­dents a pa­per-based process took some get­ting used to be­cause they hadn’t prac­ticed in an en­vi­ron­ment with­out com­put­ers be­fore. “We spent a lot of time with our res­i­dents mak­ing sure they knew how to ap­pro­pri­ately doc­u­ment pa­tient charts with­out EHR prompts,” she adds.

Other pro­cesses were moved off-screen as well. For ex­am­ple, clin­i­cians nor­mally would look at X-rays or CT scans on a com­puter screen, but now tem­po­rar­ily they

had to view them di­rectly on film or at the CT scan­ners, Pugh says.

To en­able physi­cians to place med­i­cal or­ders, ECMC printed out pa­per ver­sions of the forms that had to be signed with a pen in­stead of be­ing ini­tial­ized on screen. Elec­tronic pre­scrib­ing—which New York State man­dated in 2016—was a bit chal­leng­ing in the af­ter­math of the ran­somware at­tack, Pugh notes, but physi­cians used pa­per pre­scrip­tion pads to place or­ders, and “all the lo­cal phar­ma­cies were no­ti­fied of our is­sues.”

Ac­cord­ing to Michael Vinson, man­ager of client sup­port and a mem­ber of Meditech’s dis­as­ter re­cov­ery ap­pli­ca­tion team, ECMC has been an EHR cus­tomer since the late 1990s. In ad­di­tion to the EHR sys­tem be­ing down, he re­counts that early in the af­ter­math of the ran­somware at­tack, one of the big chal­lenges in as­sist­ing ECMC re­motely was that the hos­pi­tal didn’t have an op­er­at­ing email sys­tem and could only com­mu­ni­cate through “old school” phone and text mes­sages.

Fur­ther re­cov­ery ef­forts

By April 21—12 days af­ter the ini­tial at­tack—the hos­pi­tal web­site had been re­stored, tem­po­rary email was es­tab­lished, some fi­nan­cial sys­tems be­gan to come on­line, and more than 6,000 hard drives had been cleaned and re­turned to work­sta­tions. In ad­di­tion, ECMC’s EHR sys­tem from Meditech was avail­able to staff clin­i­cians, but just in view-only mode.

Dur­ing the week of April 24, the med­i­cal cen­ter in­stalled a new hos­pi­tal email sys­tem, con­tin­ued the phased restora­tion of in­pa­tient EHR-re­lated func­tions and be­gan to roll out re­stored desk­top com­put­ers. And by the week of May 1, ECMC started elec­tronic trans­mis­sion of ra­di­o­log­i­cal im­ages as well as physi­cian doc­u­men­ta­tion, be­gin­ning with the emer­gency and psy­chi­atric emer­gency de­part­ments, while con­tin­u­ing the roll­out of re­stored desk­top com­put­ers and the restora­tion of in­pa­tient EHR func­tions.

The quick re­cov­ery was en­abled by prior staff train­ing, plan­ning and quick re­sponse of ECMC staff to the breach, lim­it­ing the dam­age to its sys­tems while en­sur­ing pa­tient safety. How­ever, ECMC’s re­cov­ery car­ried a huge fi­nan­cial cost. This past sum­mer, the hos­pi­tal ini­tially re­ported a $10 mil­lion price tag for re­pair­ing the dam­age and restor­ing its in­for­ma­tion sys­tems.More re­cently, an ECMC spokesman re­ported the fi­nal cost of re­build­ing the hos­pi­tal’s com­puter sys­tems is “not yet fi­nal­ized.”

But for­tu­itously, the hos­pi­tal in late 2016 in­creased its cy­ber in­surance cov­er­age to $10 mil­lion from $2 mil­lion, in­creas­ing its fi­nan­cial pro­tec­tion against such cy­ber­se­cu­rity events, ECMC’s CEO Qu­a­troche told The Buf­falo News.

Ris­ing threats, old vul­ner­a­bil­i­ties

ECMC’s ex­pe­ri­ence is em­blem­atic of the chal­lenges of over­com­ing ran­somware at­tacks, which are on the rise. Re­sults from a sur­vey con­ducted by HIMSS An­a­lyt­ics, re­leased in De­cem­ber 2017, show that 78 per­cent of providers have ex­pe­ri­enced a ran­somware or mal­ware at­tack in the past 12 months.

“It’s some­thing that af­fects the sin­gle, sole prac­tice med­i­cal pro­fes­sional all the way up to ma­jor hos­pi­tals,” says FBI spe­cial agent Co­hen, who be­lieves the trend will con­tinue to rise with “more in­ci­dents of ran­somware, hack­ing and in­tru­sions.”

The FBI has warned that in newer in­stances of ran­somware, cy­ber­crim­i­nals are in­creas­ingly cap­i­tal­iz­ing on un­patched soft­ware on end-user com­put­ers. For ex­am­ple, in May 2017, hun­dreds of thou­sands of com­put­ers world­wide were com­pro­mised by the Wan­naCry ran­somware in at least 150 coun­tries, in­clud­ing the Na­tional Health Ser­vice in the United King­dom, where the cy­ber­at­tack froze com­put­ers at hos­pi­tals and closed emer­gency rooms. Wan­naCry af­fected sys­tems that did not have the lat­est se­cu­rity patches and were run­ning older ver­sions of the Win­dows op­er­at­ing sys­tem that are no longer sup­ported by Mi­crosoft.

Wan­naCry is not the only vari­ant of ran­somware be­ing used to at­tack health­care providers’ sys­tems. Ac­cord­ing to GreyCas­tle’s Har­nish, the SamSam ran­somware that hit ECMC tar­gets web server vul­ner­a­bil­i­ties to in­fil­trate com­puter net­works, which is how he be­lieves ECMC’s sys­tems were hacked.

“It was a sin­gle tech­ni­cal vul­ner­a­bil­ity,” says Har­nish. “It was a very com­mon but very sim­ple vul­ner­a­bil­ity—by sim­ple, I mean one that is eas­ily ad­dressed and fixed.”

An alert from the FBI de­tails that SamSam uses an au­to­mated script that crawls

“It af­fects the sole prac­tice med­i­cal pro­fes­sional up to ma­jor hos­pi­tals.” —Adam Co­hen

the In­ter­net look­ing for server vul­ner­a­bil­i­ties in­volv­ing JBoss (an open source ap­pli­ca­tion server pro­gram from Red Hat) and Re­mote Desk­top Pro­to­col (or RDP, a Mi­crosoft re­mote man­age­ment tool), ex­ploit­ing either weak pass­words or crack­ing de­fault pass­words with brute force at­tacks. Once it finds one, the script ex­ploits the vul­ner­a­bil­ity—known as “pa­tient zero”—and then gains ac­cess to the vic­tim’s net­work.

For ECMC, the “pa­tient-zero vul­ner­a­bil­ity was a de­fault pass­word on an In­ter­net-fac­ing as­set,” Har­nish be­lieves. “It was what ended up be­ing the ini­tial vul­ner­a­bil­ity that was ex­ploited and gave those crim­i­nals ac­cess.”

Ac­cord­ing to Har­nish, the SamSam ran­somware at­tack on ECMC did not in­volve

a JBoss server, leav­ing the other pos­si­bil­ity—an RDP vul­ner­a­bil­ity. “I can’t con­firm or dis­con­firm that,” he adds.

Avi Ru­bin, direc­tor of the health and med­i­cal se­cu­rity lab at Johns Hop­kins Univer­sity, says a com­mon tech­nique hack­ers em­ploy is scan­ning the In­ter­net for com­put­ers that have in­se­cure con­nec­tions—called ports—and ex­ploit­ing vul­ner­a­ble ap­pli­ca­tions such as RDP.

“Once the at­tack­ers gain a foothold in this man­ner, they can at­tack the pass­words in the sys­tem by us­ing so­phis­ti­cated dic­tio­nar­ies and match­ing tech­niques to crack the pass­words in the sys­tem,” notes Ru­bin.

Phillip Hal­lam-Baker, prin­ci­pal sci­en­tist and vice pres­i­dent at cy­ber­se­cu­rity vendor Co­modo, warns that if the pass­word is a de­fault pass­word, the at­tacker al­ready knows it.

“Quite of­ten, soft­ware ships with an ac­count ‘guest’ with pass­word ‘pass­word,’” re­marks Hal­lam-Baker. “In the past, soft­ware of­ten shipped with ad­min ac­counts with de­fault pass­words, but that hap­pens much less now be­cause it is flagged as an is­sue.”

In 2016, the FBI is­sued a warn­ing about SamSam ran­somware, de­tail­ing how cy­ber­crim­i­nals were ex­ploit­ing such vul­ner­a­bil­i­ties, par­tic­u­larly in the health­care in­dus­try.

Nonethe­less, Cut­ler, ECMC’s vice pres­i­dent of com­mu­ni­ca­tions and ex­ter­nal af­fairs, is dis­mis­sive of any fault or neg­li­gence on the part of the hos­pi­tal. “Or­ga­ni­za­tions across the coun­try rou­tinely re­ceive in­for­ma­tion of cy­ber­at­tack warn­ings from en­ti­ties like the FBI,” Cut­ler says.

“When you have an en­vi­ron­ment [like ECMC] where there are 6,000-plus com­put­ers, the like­li­hood that the con­fig­u­ra­tion on one of the com­put­ers was in­cor­rect is pretty high,” con­tends Har­nish.

Sim­i­larly, Meditech’s Arm­strong says that, in a big com­plex com­put­ing en­vi­ron­ment like a hos­pi­tal, “there’s al­ways go­ing to be some­thing that has a vul­ner­a­bil­ity” that is go­ing to put any de­vices that con­nect to the In­ter­net at risk.

Re­silience in fac­ing ran­somware

While there are other vari­ants of ran­somware, Har­nish says SamSam is “ram­pant” in health­care and will con­tinue to pose a cy­ber­se­cu­rity threat to hos­pi­tals—though he would not re­veal who was be­hind the ECMC at­tack or their coun­try of ori­gin. Based on his ex­pe­ri­ence, FBI Spe­cial Agent Co­hen says most of the ran­somware at­tacks be­ing launched on the U.S. are ini­ti­ated in Eastern Europe.

“What’s hap­pen­ing is a form of ter­ror­ism like an at­tack on crit­i­cal in­fra­struc­ture,” ECMC’s Qu­a­troche told The Buf­falo News.

Har­nish be­lieves that most med­i­cal fa­cil­i­ties are woe­fully un­pre­pared for the kind of at­tack that hit ECMC, ar­gu­ing that it’s not a ques­tion of if—but when—the next health sys­tem will fall vic­tim to mal­ware.

The FBI’s Co­hen urges vic­tims of ran­somware to re­port in­ci­dents to the agency—re­gard­less of the out­come—to help it gain a more com­pre­hen­sive view of the cur­rent threat en­vi­ron­ment. “Our job is to help, how­ever we can, and the more that we know about the types of at­tacks and the tac­tics used en­ables us to bet­ter un­der­stand the threat.”

To fa­cil­i­tate pub­lic-pri­vate col­lab­o­ra­tion be­tween U.S. busi­nesses and the FBI, In­fraGard was es­tab­lished as a not-for­profit or­ga­ni­za­tion to ex­pe­dite the timely ex­change of in­for­ma­tion and pro­mote mu­tual learn­ing op­por­tu­ni­ties when it comes to cy­ber­se­cu­rity. “That’s our way to not just take in­for­ma­tion but pro­vide in­for­ma­tion back,” says Co­hen.

For its part, the FBI sug­gests or­ga­ni­za­tions fo­cus on two main ar­eas: pre­ven­tion in terms of both aware­ness train­ing for em­ploy­ees and ro­bust tech­ni­cal pre­ven­tion con­trols, as well as the cre­ation of a solid busi­ness con­ti­nu­ity plan in the event of a ran­somware at­tack.

Health­care or­ga­ni­za­tions “need to build a re­sponse ca­pa­bil­ity—this is about re­silience in health­care,” says Har­nish.

Re­silience is clearly a mes­sage that res­onates with the in­dus­try. As re­sults of the HIMSS An­a­lyt­ics sur­vey re­leased in De­cem­ber 2017 showed, 97 per­cent of providers have a high level of con­cern about cy­ber­se­cu­rity and re­silience—de­fined as an or­ga­ni­za­tion’s ca­pac­ity to adapt and re­spond to ad­verse cy­ber events in ways that main­tain the con­fi­den­tial­ity, in­tegrity and avail­abil­ity of data and ser­vices.

Calling cy­ber de­fense a “bit of a failed con­cept” for hos­pi­tals, Har­nish rec­om­mends fa­cil­i­ties not give up on pre­ven­tion but at the same time de­velop con­tin­gency plan­ning and train their staffs in how their or­ga­ni­za­tion will deal with the loss of in­for­ma­tion sys­tems as a re­sult of such cy­ber­se­cu­rity in­ci­dents.

John Glynn, chief in­for­ma­tion of­fi­cer at Rochester Re­gional Health, an­other in­te­grated health­care de­liv­ery sys­tem serv­ing Western New York and the Fin­ger Lakes re­gion, says the ECMC ran­somware at­tack “re­ally got the at­ten­tion of our board—I’m get­ting sick just think­ing about it.”

Glynn notes that in the af­ter­math of ECMC’s cy­ber­se­cu­rity event, one of the ben­e­fits for Rochester Re­gional Health was it forced the or­ga­ni­za­tion to “do more sys­temwide down­time pre­pared­ness drills than maybe we had pre­vi­ously.” He ac­knowl­edges there are “mul­ti­ple vec­tors of at­tack” that health­care or­ga­ni­za­tions must be pre­pared for, which is dif­fi­cult be­cause of the wide range of cy­ber threats con­fronting them.

“The at­tack­ers are al­ways go­ing to find a way in—that’s why it’s re­ally es­sen­tial to be able to quickly de­tect and re­spond,” adds Meditech’s Arm­strong. “These are com­pli­cated prob­lems. When an at­tacker gets into a sys­tem, you want to make sure that the ran­somware is gone and they didn’t leave any back­doors in so they can come back later.”

Hos­pi­tals “need to be pre­pared for when pre­ven­tion breaks down,” Har­nish says. “In­su­lat­ing pa­tients from cy­ber­at­tacks has to be their No. 1 pri­or­ity be­cause it’s po­ten­tially an is­sue of life and death.”

Newspapers in English

Newspapers from USA

© PressReader. All rights reserved.