Fraud Management & Cybercrime , Healthcare , HIPAA/HITECH

Ontario Hospitals Expect Monthlong Ransomware Recovery

Patient Care Still Disrupted and IT Network, EHR System Down Until Mid-December
Ontario Hospitals Expect Monthlong Ransomware Recovery
Bluewater Health is among the five TransForm member hospitals in Ontario affected by an October ransomware attack. (Image: Bluewater Health)

A shared IT services provider and its five Ontario member hospitals say their recovery from a Daixin Team ransomware attack in October could last into December as the group rebuilds its IT network. Meanwhile, the outage will continue to disrupt patient services, including diagnostics and treatments.

See Also: Gartner Guide for Digital Forensics and Incident Response

TransForm Shared Service Organization and the regional hospitals to which it provides shared IT services - Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital - have been struggling since the Oct. 23 attack that disrupted access to electronic health records and other critical systems.

The incident also involved the theft of millions of patient records and other data (see: Attack on Shared Supplier Affects 5 Hospitals in Ontario).

TransForm in an updated statement released with the affected hospitals on Wednesday said that forensics investigation so far shows that "all" its clinical and nonclinical systems were affected by the attack.

"Our experts have advised us that the safest route is to rebuild the network," the statement says. Restoration is not expected to be completed until mid-December.

"Delays will be reduced for patients once digital charting is restored. Some patients and families may still experience diagnostic and/or treatment delays while we work to restore all systems," TransForm and the hospitals said. "Clinical applications will be coming back online one by one or in clusters as we approach mid-December 2023."

Rebuilding the Network

TransForm's decision to rebuild its IT network from scratch, as opposed to taking other remediation options, likely means that core network services that run on servers were affected, said Keith Fricke, partner and principal consultant at privacy and security firm twSecurity.

For example, that could mean servers that provided network authentication services and managed IP address assignments and VoIP servers that support voice communications, he said.

"Additionally, systems providing patch management, endpoint protection - managing encryption and antivirus software -to laptops and workstations, centralized log management, and other information security-related infrastructure services may be in scope for rebuilding," he said.

An alternative to rebuilding the IT network would be rebuilding an affected server, which can mean reinstalling an operating systems and/or replacing hardware, Fricke said. But that strategy for full recovery is not a sure bet either.

"The risk of trying to remove malware without reinstalling the operating system and/or applications on the server is not fully removing the malware and possible backdoors. Reinfection or continued unauthorized access are possible if the malware/ransomware is not fully eradicated."

TransForm did not immediately respond to Information Security Media Group's request for comment.

Patient Care Still Hurting

On Thursday, the hospitals urged patients who do not need emergency care to contact their primary care provider or local clinic instead of the hospital, according to messages posted on their websites.

"At this time, due to the current impact on systems, physicians may not have access to past patient records or medical history; patients' current medication list; reports from other clinicians involved in care; and pre-admission workups," the hospitals said.

To ensure safe care, some physicians will need to cancel procedures if, in the absence of important information, they feel it is unsafe to proceed, the statement said. "If this is required, physicians will do their very best to reschedule as quickly as possible."

TransForm and the hospitals said they want to "emphasize" to patients that their physicians and front-line staff "are under greater than normal stress due to these unusual circumstances, and they are responding with incredible resolve."

In a statement on Monday, TransForm confirmed that data stolen in the attack includes information about some 5.6 million patient visits made by approximately 267,000 unique patients to member hospital Bluewater Health.

Ransomware group Daixin Team has claimed credit for the attack and has been leaking in batches on its dark website samples of the 160 gigabytes of "sensitive documents" for the more than 5.6 million patient records it says that it exfiltrated from Bluewater Health (see: 5 Ontario Hospitals Still Reeling From Ransomware Attack).

The stolen Bluewater Health database report did not include clinical documentation records, but the hospital is still in the process of determining the individuals and the information affected, TransForm said.

In addition to the Bluewater Health patient database report, attackers also stole data from an operations file server that housed a segmented employee shared drive used by all the member hospitals, TransForm said. "The shared drive data included patient and employee information of varied amounts and sensitivity," TransForm said.

"This incident has affected each institution differently. Some are less severely impacted than others," the statement said. "The stolen data is in many formats, some of which are easier to analyze."

Refused to Pay

TransForm and the hospitals said they refused to pay the extortionists and are working closely with law enforcement, including Interpol, the FBI and Ontario police.

"We are aligned in this position with the 50 members of the International Counter Ransomware Initiative, including Canada, who have recently pledged to never pay ransom to cybercriminals," the group said (see: Global Government Coalition Launching New Ransomware Efforts).

"The hospitals' decision not to pay is absolutely the correct one," said Brett Callow, threat analyst at security firm Emsisoft. "Paying in these circumstances is akin to sending money to a burglar who has promised to return your possessions. It really makes no sense at all," he said.

Governments need to rethink their counter-ransomware strategies, as existing ones very clearly are not working, Callow said.

"In particular, they need to consider a prohibition on the payment of demands or, at least, significant restrictions on the circumstances in which they can be paid. Without that, threat-to-life incidents like this will continue to be regular events."

Persistent Threats

While the five Ontario hospitals and their shared IT services provider are recovering from their recent ransomware incident, cybercriminals this week continued their assaults on other hospitals and healthcare providers, including in the U.S.

Among the latest is Houston-based Harris Center for Mental Health and Intellectual and Developmental Disabilities, which is responding to a suspected ransomware attack that hit earlier this week and encrypted certain employee files. A spokesperson for Harris Center said the hospital has taken its systems offline as it responds to the attack, and is working with third-party cybersecurity experts and law enforcement.

"The practical impact of our preemptive steps is that Harris Center staff have faced limited access to files and that there have been some delays to patient care," the hospital told Information Security Media Group. "The Harris Center is taking all possible steps to continue to provide patient care uninterrupted."

Emsisoft so far this year has counted at least 31 U.S health systems operating a total of 93 hospitals that have been hit with ransomware attacks, Callow said. Of those victim health systems, at least 24 had data stolen.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.