After Ransomware Attack, Clinic Faces More Woes'Vendor Error' Leads to Data Loss After Attack
A recent breach reported by an Arlington, Texas-based pediatric clinic serves is the latest reminder of the substantial risks ransomware poses to patient data and offers a lesson in what can go wrong when responding to such an attack.
Meanwhile, a new research report shows cybercriminals now are using more than 200 families of ransomware (see Ransomware Family Count Surpasses 200).
Rainbow Children's Clinic on Oct. 3 reported to the U.S. Department of Health and Human Services a hacker incident affecting more than 33,000 individuals. In a notice posted on the clinic's website, the clinic says that on Aug. 3, a hacker accessed its computer system and then launched a ransomware attack that began to encrypt data stored on the clinic's servers.
"The computer system was shut down immediately to prevent loss of patient information, and the clinic immediately began an investigation," the notice says. "Rainbow Children's Clinic retained an independent computer forensic expert to assist, and through the investigation, the clinic discovered that some patient records have been irretrievably deleted."
Lindsay Nickle, an attorney representing Rainbow Children's Clinic, tells Information Security Media Group the loss of patient records that were "irretrievably deleted" was the result of a "vendor error" during the mitigation effort following the incident, and not a result of the actual ransomware software. She would not specify the type of IT vendor involved or identify the company.
Nickle's advice to other healthcare providers dealing with a ransomware attack is "to make sure your IT vendor understands the requirements of healthcare and HIPAA. There are a lot of IT vendors out there who say they understand healthcare, but they don't."
The attackers demanded a ransom, but the clinic did not pay, Nickle adds. The clinic is working with its patients and their families to recreate the lost records. It's offering affected individuals free identity resolution and credit monitoring services through Equifax.
The records that have been potentially exposed by the hacking incident, according to the clinic's notice, include patients' names, addresses, dates of birth, Social Security numbers and medical information, the clinic notes. "In addition, the impacted records may also include personal information regarding patients' payment guarantors, including guarantors' names, addresses, Social Security numbers and medical payment information," the clinic says.
Although the ransomware incident at Rainbow Children's Clinic apparently was complicated by a vendor's mistake during recovery efforts, some experts note an organization's data could also potentially become irretrievably lost in ransomware attacks due to other factors.
That includes attacks involving ransomware that encrypts files and then periodically deletes batches of files, says Keith Fricke, partner and principal consultant at tw-Security. "This action is intended to prompt quicker ransom payment," he adds. "Irretrievably deleted files implies backups of the data were unavailable or unusable."
Maintaining clean backups is key to recovering from ransomware, he notes. "Most organizations have moved away from tape as a backup medium, in favor of disk-to-disk backups. Most storage area networks have data 'snapshot' capabilities that can help recover encrypted or deleted files," he says.
Jack Danahy, chief technology officer of security firm Barkly, notes: "Some newer versions of ransomware make a focus on backups even more important, since there are now so-called 'ranscam' packages that don't even save the encrypted files and can't/won't restore them after the ransom is paid."
When more organizations understand that they may permanently lose patient records as a result of a cyberattack, hampering their ability to provide services, they will start taking a closer look at their security practices, Danahy says. "The most important step, from a remediation standpoint, is to be sure that the backup system files are not accessible from the same systems that are being backed up," he says. "Most utilities have a client that expects to connect through a specific protocol, and with specific permissions, so there is no reason for the backup host to allow any of the usual connections via network mounts and file sharing that ransomware leverages."
More at Stake
In a recent interview with ISMG, Denise Anderson, president of the National Health Information Sharing and Analysis Center, noted that it's not just patient data privacy that's at stake when attackers launch ransomware attacks on healthcare provider organizations - the attacks also are potentially disruptive to the delivery of healthcare to patients.
That was evident in several recent cyberattacks on healthcare organizations, including a suspected ransomware assault in March on MedStar Health, a 10-hospital, Maryland-based healthcare system that shut down many of its facilities for several days while it mitigated the attack.
"The original concern [with cyberattacks] was around data being taken," Anderson says. "But in many cases involving ransomware, it's held up operations so that hospitals and providers cannot deliver services to patients, and when you're looking at those types of things, you're talking about people's lives, not just people's data."
The potential impact from ransomware attacks also include loss of reputation, financial losses, unwanted media exposure and ultimately a negative impact on patients, says Andrew Hicks, director of the healthcare practice of security consulting firm Coalfire.
"Therefore, how you prepare is key. It is highly recommended that organizations participate in cyber war gaming exercises to initiate discussions, refine procedures and promote the development of a comprehensive playbook that takes the guesswork out of breach response," he says. "It's better to figure it out during a simulated exercise than on the fly in a real attack. Also, organizations shouldn't forget to consider cyber insurance."
Covered entities and business associates also need to take other steps to prevent becoming a victim of ransomware, says Rebecca Herold, CEO of The Privacy Professor and co-founder of the consulting firm SIMBUS Security and Privacy Services.
For example, they should provide training to workers so they can spot ransomware attempts and not succumb to them. "Make sure all workers know how to recognize potential phishing, vishing and other similar types of attacks that could result in ransomware situations," she says.
It's also critical to use constantly updated anti-malware software, she says. "This includes on the personally owned devices that employees, contractors, volunteers, etc., use for work activities," she says.
When to Pay
While Rainbow Children's did not pay a ransom - just as law enforcement, including the FBI, advise - each ransomware situation brings its own set of circumstances, Hicks notes. "Typically it's frowned upon for organizations to pay attackers, but there is a time and a place," he says.
"Consider Hollywood Presbyterian Medical Center and the fact that they paid hackers $17,000 for the encryption key to restore the medical records of their patients. The decision whether to pay attackers isn't black and white, which is all the more reason for organizations to have a well-thought-out incident response plan," he says.
"Careful consideration must be given to the type and quantity of data; impact to the affected individuals and organization; law enforcement - including the FBI - involvement; and advice from forensics experts that your organization should have on retainer."