The news about ransomware in healthcare keeps coming. In September we wrote about how ransomware in healthcare is skyrocketing in 2020. And last week we wrote about the increasing use of double extortion ransomware.
The FBI issued a warning on October 29, that more ransomware is expected in healthcare, with advice on how to detect and prevent it. The warning says they have credible evidence that there will be “an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
In October four major health systems were knocked into downtime: the University of Vermont Health Network, New York-based St. Lawrence Health System, Sky Lakes Medical Center in Oregon and Sonoma Valley Hospital. Their electronic health records systems were inaccessible for days and weeks while they investigated the damage. Multiple hospitals and other care sites among all four were affected.
UVM Health Network (Vermont)
The cyber attack caused network issues system-wide and at least six hospitals were affected. Patients were unable to access their MyChart Patient Portal and elective procedures at UVM Medical Center had to be rescheduled, as the patient medical records system went down in the attack.
Central Vermont Medical Center and Champlain Valley Physicians Hospital were also affected but were able to continue all patient care services, although some were delayed. As of November 9, UVM had made significant progress but was still working to fully recover.
St. Lawrence Health System (New York)
The initial attack was detected in a matter of hours, and the IT team disconnected all systems and the affected network to prevent the attack from spreading.
St. Lawrence had established backup processes to maintain patient care, including EHR downtime and offline documentation processes. Patient care continued with limited disruption throughout the recovery efforts, although some ambulances were diverted early in the crisis.
St. Lawrence worked hard to reboot operations and networks, maintaining communication with the NY State Health Department throughout the recovery efforts.
By November 6, St. Lawrence reported that all systems were back online. IT applications were restored at all clinics and hospitals, and at the corporate level, which includes patient medical records, the laboratory, and pharmacy. They continue to investigate the scope of the incident and its impact.
Sky Lakes Medical Center (Oregon)
Sky Lakes Medical Center reported that it had fallen victim to a ransomware attack on Tuesday, October 27, noting that its computer systems had been compromised. Patients were told that “communications with the medical center will be a little complicated until we can get our systems operating again.”
Emergency and urgent care sites remained open to patients, and many scheduled procedures were able to proceed despite the attack.
Sky Lakes continued to update the public on its website, and on November 4 reported: “The attack’s motive appears to be extortion, although Sky Lakes has no intention of responding to any ransom demand.”
Sonoma Valley Hospital (California)
The attack began on October 11 and initially was reported as “a significant downtime event.” Then on October 30, Sonoma Valley confirmed it was a ransomware attack.
Operations and patient care were maintained throughout the incident, due to Sonoma Valley’s business continuity plan. Most diagnostics continued without interruption, and the patient portal remained available, though no new results were posted since the attack was launched.
Immediately following the attack, the systems were taken offline to stop the spread. Officials said they successfully prevented the attack from blocking system access and expelled the attackers from the system.
But before system access was blocked, the attackers may have exfiltrated some data from the network. Officials said they did not pay the ransom demand. But there was a data leak by Mount Locker, a known ransomware group, that appears to confirm data was stolen prior to the ransomware deployment.
Preparation and Prevention of Ransomware
The effects of ransomware in healthcare can be devastating. When EHR records are frozen and computer systems are down, patient safety is at risk. The time and costs of defending against such an attack are a huge distraction and drain.
But the four hospital systems described above did some things right, and lessened what may have been a much more dire situation.
- Immediate response to shut down systems and limit the spread of damage
- In some cases, they had data backups, meaning they hadn’t lost the patient data and didn’t need to pay to get it back – ransomware can still be a threat in this situation, because the cybercriminals will threaten to post the stolen data unless paid
- Business continuity planning, or a contingency plan, allowed the hospitals to continue services and record patient data, at least temporarily in a different format
- Several of the hospitals reported that they will NOT pay a ransom, which is recommended by law enforcement, because payments embolden criminals to repeat the crime
The single most important thing you can do to prevent cyber crime in healthcare is a HIPAA Risk Analysis. A risk analysis identifies gaps, and reminds you to do workforce training, create data back-ups and create a contingency plan. It also creates a Risk Management plan to help throughout the year.
The HIPAA E-Tool® has everything needed to complete the analysis, create a risk management plan, and document everything, as required by the Office for Civil Rights, which enforces HIPAA. And if the worst happens, The HIPAA E-Tool® can help analyze whether the ransomware is a reportable breach under the Breach Notification rule.