Hospital, Health Department Still Recovering From AttacksWhat Steps Can Other Entities Take to Lessen Post-Attack Restoration Pain?
Most phone lines, email and other IT systems appear to remain down at a Kentucky hospital that suffered a cyberattack more than three weeks ago. Meanwhile, the Maryland Department of Health continues to work on fully restoring IT services still affected more than two months after a December ransomware attack.
Those are among the latest reminders of how long and difficult recovery can be when a healthcare or public health sector entity is hit with ransomware or other disruptive cyberattacks.
Taylor Regional Hospital Attack
As of Monday, Taylor Regional Hospital, a 90-bed facility based in Campbellsville, Kentucky, was still working with only about two dozen temporary phone lines that have been put in operation while the entity continues to investigate and recover from a cyberattack initially publicly disclosed on its Facebook page on Jan. 19.
An "urgent warning" still posted on the hospital's website Monday says that all phone lines at the hospital and hospital-owned providers are down. The website message also says that certain patient services are being offered only on a limited basis and that individuals need to bring along paper documents to various appointments.
For instance, the notice says that routine outpatient laboratory tests will only be performed daily during a six-hour window in the morning and early afternoon and that all patients are required to bring a "WRITTEN" order.
COVID-19 testing is also significantly affected. "Due to the system-wide outage, we are unable to schedule COVID testing as previously communicated; we are still testing at The Walk-In Clinic between the hours of 10:00 a.m. and 12:00 p.m. on a first-come, first-served basis," the notice says.
"We appreciate your patience as we work to return to normal operations."
Taylor Regional Hospital did not immediately respond to Information Security Media Group's request for comment.
Maryland Department of Health Incident
Meanwhile, approximately 5,000 replacement computers, including 4,000 laptops, have been rolling out to workers at the Maryland Department of Health who had been instructed to not use their MDH-issued computers due to the risk of possible malware infections following a cyberattack that occurred on Dec. 4.
Last month, state officials confirmed that the attack had involved ransomware.
In a statement to ISMG, a MDH spokesman says" "Generally, whenever possible, affected MDH computers are being cleaned for redeployment. However, some computers that are close to the end of their expected life are being replaced. As always, the security of state systems remains a top priority."
In a Jan. 28 update the health department shared with ISMG, department leaders told staff that incident containment and investigation efforts were progressing as the department continued to bring systems safely back online.
"At the same time, we know that the incident and our response to it have been disruptive," the letter says. "Many of the Department’s core functions were not affected, and many services have already been restored, yet the impacts to our staff, administrations, and partners are still widely felt."
A notice on the health department's website on Monday says: "To prevent additional damage, we continue to be methodical and deliberate in restoring network systems while prioritizing health and human safety function. We remain actively engaged with both state and federal law enforcement partners as part of an ongoing criminal investigation."
Unfortunately, the ongoing restoration struggles at the Kentucky hospital and Maryland Health Department post-cyberattacks are not unusual for healthcare and public health sector entities.
Last May, a ransomware attack disrupted IT systems and patient care at San Diego, California-based Scripps Health for almost a month, costing the organization nearly $113 million, including $91.6 million in lost revenue, according to a financial report from the nonprofit entity.
The healthcare organization also now faces civil class action lawsuits filed by patients who say their care was delayed and data compromised by the incident (see: Lawsuits: Patients 'Harmed' by Scripps Health Cyberattack).
Ireland's HSE Attack
And U.S.-based healthcare sector entities are not the only ones that have struggled to recover quickly from ransomware or other cyber incidents.
For instance, it took Ireland's Health Services Executive about four months to fully recover from a Conti ransomware attack last May that caused all its IT systems nationwide to be shut down, the U.S. Department of Health and Human Services says in a report issued Friday to the U.S. healthcare and public health sector.
The HHS document is based on a 157-page report released last December by PricewaterhouseCoopers, which had been commissioned by the HSE to analyze the incident (see: Report Dissects Conti Ransomware Attack on Ireland's HSE).
The HSE is Ireland's publicly funded healthcare system under the Irish Department of Health, consisting of 54 public hospitals directly under HSE authority, and voluntary hospitals that use national IT infrastructure, HHS says.
The incident is the most significant cyberattack on an Irish state agency to date and is also the largest known attack against a health service computer system in history, HHS says.
About 80% of HSE's IT environment was encrypted by the Conti ransomware in the incident, HHS says. "The impact of the ransomware attack on communications was severe, as the HSE almost exclusively used on premise email systems - including Exchange - that were encrypted, and therefore unavailable, during the attack," HHS says.
The HSE took actions to contain the ransomware attack by powering down systems and disconnecting the wider National Health Network from the internet, HHS says.
But according to the agency, the incident resulted in the exfiltration of 700 gigabytes of unencrypted HSE data, including patients' health information.
Lessons to Learn
Some experts say that the serious challenges many healthcare sector entities face in defending against and then recovering from ransomware incidents and other cyber incidents should serve as warnings to other organizations.
"The biggest lesson and takeaway from these really impactful attacks is the lack of internal controls and restrictions to hinder access once a system is compromised," says William Gadzinski, a senior incident response consultant at security consultancy Pondurance.
IT security practitioners are comfortable with the concept of defense in depth when planning for incident prevention, Gadzinski says, but often they don't consider or implement controls that would keep an incident contained to a manageable extent.
"Evaluating one’s security posture from the perspective of an assumed system compromise can often reveal holes in protection or blind spots in detection methods that allow an attacker to escalate their access and therefore do serious damage," he says.
Gadzinski says that prior to deploying ransomware, an attacker may dwell in an environment for a long period of time, deploying backdoors and persistence that would be included in any backups that are made - and rendering those backups useless.
"Though an organization may have mechanisms for identifying unauthorized access or breaches, those mechanisms are only worthwhile if they are being monitored regularly," he says.
"IT management should ensure that backup retention schedules match up appropriately with scheduled log reviews and detection timelines, ensuring a system won't overwrite its last 'good' backup before any unauthorized access can be identified."
Keeping Communication Intact
Gadzinski says that entities can also take steps to avoid situations like the one that occurred in the Taylor Regional Hospital attack, in which phone and email communications were severely affected.
"Isolating a VoIP network from an enterprise domain, both via network controls and authentication groups, can help maintain communications through an incident that affects a domain," he says.
"If federated authentication is required, network isolation and implementing separate accounts for administration of each network may help reduce the impact of an attack involving administrator account compromise."
Gadzinski also says that if email cannot be separated from endpoint authentication and infrastructure, it is critical to have a plan for how to quickly deploy and maintain out-of-band email and communications in order to respond rapidly and resume business.
Attorney Peter Halprin of the law firm Pasich LLP, who advises clients regarding cyber insurance, says that preventative steps are vital for fending off the severe impact of some potential ransomware incidents.
He says cyber hygiene, patching systems, updating older systems and having a strong and well-tested incident response plan are all essential to prevent attacks.