What One Hospital Learned From a Ransomware Attack
Editor’s note:This month’s PSQI Online Spotlight looks at how an Indiana hospital dealt with a ransomware attack.
By Philip Betbeze
It’s breach season.
That’s what Ron Pelletier, founding partner of Pondurance, a cybersecurity company based in Indianapolis, calls February through April. Partly, that’s because it’s also tax season, when a lot of financial information is being sent and received via the internet. Bad actors often spend the latter part of the previous year “weaponizing” their tools and doing reconnaissance. Then they look for vulnerabilities.
For Hancock Health in Greenfield, Indiana, just outside Indianapolis, breach season started a little early. About 9:30 p.m. on the night of January 11, 2018, Steve Long, its president and CEO, got a call from the health system’s IT staff, telling him a computer in the lab was infected with ransomware. In an abundance of caution, the IT staff had turned everything off that was connected to the internet.
They were too late.
The attack from a criminal syndicate in Eastern Europe was initiated through the emergency backup facility used by the 71-staffed-bed hospital many miles away, and it had infected many, if not all its servers. The SamSam ransomware did not affect patient life-support systems.
Unlike ransomware programs that depend on phishing tactics to trick employees to open an infected email, the SamSam attack is more sophisticated. The criminals found a vulnerable port set up by one of the hospital’s vendors, then located a password to gain entry into the system, Long says. They infected data files associated with the hospitals’ most critical information systems.
“It was a port you had to log into but it was exposed to the internet,” Long says.
Long hopes by sharing his story that other healthcare organizations will avoid the disruptions that Hancock Regional experienced. He’s even written a publicly accessible blog about it.
From a forensics investigation done later, it appears the criminals made attempts at a “brute force” attack, in which they ran through tens of thousands of potential password combinations to gain entry.
“That did not work, but at some point, they found a login and password from a vendor who was working with our IT systems,” says Long. “We probably will never know exactly how they got a login and password. We’re told all the time we should be prepared for such things. We had hired a company that was supposed to track this, and had anti-malware and antivirus software we thought was good.”
In short, Long says, Hancock Health probably had a false sense of security about its network.
Long decided to pay the ransom price of four bitcoin, about $50,000 at the time, to begin the recovery process. After about 70 hours offline, and little sleep for the IT staff, communication systems were restored, network file servers were brought back online, and the electronic medical record system was restored.
Long and his staff emerged scarred, but smarter. He says other CEOs should learn at least four lessons from his headaches:
1. Remote Desktop Protocol ports need multifactor authentication
The vulnerability the criminals took advantage of at Hancock is a common port associated with Windows that has plenty of legitimate uses, says Pelletier, such as remote system maintenance, but ports like that are often exploited.
“With this particular port, if clients have a business case that it needs to be open we advise multifactor authentication, including a password, a biometric, and a PIN, randomly generated,” he says.
2. You’re more vulnerable than you think
“In terms of readiness, we had systems in place, had a company that was supposedly monitoring us, and we had cyberinsurance,” says Long.
Hancock didn’t use the cheapest vendors, but not the most expensive, either.
“When you’re the [CEO], IT is the thing you always feel like you put so much money into,” he says. “What we’ve also learned is you could have the best of everything, and you’re not 100% safe. There is a balance.”
3. It takes humans to counter humans
Software can’t fully do the job. It takes humans to offer a dynamic defense to the ingenuity of a hardworking criminal enterprise.
“A lot of organizations buy into what vendors say about their tool but there are vulnerabilities we don’t know about and someone might be harvesting that,” says Pelletier. “Bad actors leave evidence of their attempts that can show something is going on, but it takes a human to do the analysis.”
“In cyber terms, if you are targeted, then with enough time, effort, and resources, they will likely be successful, but It takes time and resources and money,” says Pelletier. “If you make yourself a hard target, they’ll move to someone else who is more vulnerable.”
4. Don’t underestimate the criminals
Cybercriminals carefully calibrate the ransom they ask for based on your organization’s ability to pay, Pelletier says.
“They want to get paid and that’s why the [ransom] dollar amounts, relatively speaking, are low,” Pelletier says.
He says you can restore from a backup rather than pay the ransom, but the likelihood of being able to recover completely may be questionable.
Adds Long: “They force you down a path. We needed to get up quickly, and we had some question about whether our backups were viable,” he says. “I agree with every reason not to pay, but until you are faced with the decision, it’s easy to say lots of things. For us it made the most sense to get the decryption keys.”
Long says such things can happen to anyone. You have to plan for the worst.
“I never imagined I would be sitting there on a Thursday night having shut down all our computers,” Long says. “We want others to learn from this and we believe we can be, for lack of a better word, a beacon.”