Ransomware Attack on Utah Clinic Affects 320,000Experts Warn That Attacks Continue to Evolve
The ransomware blitz against the healthcare sector continues: A Utah clinic has reported an attack that potentially affected 320,000 patients, making it one of the largest breaches of its kind so far this year.
Premier Family Medical, a clinic with 10 sites in Utah, reported the breach to the Department of Health and Human Services on Sept. 7.
"It is safe to say that ransomware attacks on healthcare will not abate anytime soon," says former healthcare CIO David Finn, executive vice president at security consultancy CynergisTek. "They will certainly continue to evolve and change to exploit new vulnerabilities and use new 'social' attacks - think about email solicitations to help recovery from Hurricane Dorian."
In an Aug. 30 statement, Premier Family Medical says that on July 8, the practice experienced a ransomware attack.
"As a result, Premier was temporarily unable to access data from certain systems within its organization. Premier promptly informed law enforcement and engaged technical consultants to investigate and regain access," the statement says.
"We love being in the business of caring for patients and understand that includes protecting their health information," Robert Edwards, Premier's chief administrator who oversees Premier's cybersecurity and privacy programs, says in the statement. "Even though our investigation has found no reason to believe patient information was accessed or taken, we are very concerned that this event even occurred and have taken steps to further enhance the security of our systems."
Patients who have been treated at any of Premier's 10 Utah County locations are being notified of the ransomware incident that had the potential of exposing their data.
A Premier spokesman declined to disclose to Information Security Media Group the amount of the ransom demanded by attackers, whether Premier paid a ransom to unlock its systems, and the type of systems and data impacted.
The spokesman revealed, however, that the attack involved Ryuk ransomware and that the practice used paper records for a brief period while technical issues were addressed. During that time, Premier was able to continue providing care to patients without interruption even though all of its locations were affected by the attack.
Ransomware Attacks Galore
Ransomware attacks on healthcare providers have been a persistent threat for a while, but they have spiked this year (see: Summer of Data Breach Discontent).
For instance, in July, a Puerto Rican medical center and a related women and children's hospital filed breach reports to HHS about a ransomware attacks that collectively impacted the data of more than 522,000 individuals (see: Ransomware Attack Impacts 522,000 Patients in Puerto Rico.)
Those attacks on Bayamón Medical Center and Puerto Rico Women and Children's Hospital were reported separately on July 19 as hacking/IT incidents involving a network server, according to HHS' HIPAA Breach Reporting Tool website. Also commonly called the "wall of shame," the website lists reports of major health data breaches impacting 500 or more individuals.
Among other ransomware attacks in the healthcare sector so far this year was an incident reported in April by a Doctors Management Services, a Massachusetts-based billing services provider. The attack on that business associate impacted more than three dozen clients and nearly 207,000 individuals.
And in June, a ransomware incident affected 88,000 patients of Grays Harbor, Washington-based Grays Harbor Community Hospital and its medical group. Attackers demanded a $1 million ransom, but the healthcare entity did not pay.
To prepare for ransomware attacks, organizations can take steps to control the disruption and minimize the number of patients whose data is potentially exposed.
"What to do is not rocket science and it is not new at this point," Finn says. You should be ready: That means [implementing] all the aspects of the National Institute of Standards and Technology's Cybersecurity Framework."
Key steps include knowing where all data is located, having tools to detect for anomalous activities and training the workforce. "Phishing is still a primary vector for spread of ransomware ... apply the right protections on those assets," Finn says.
Organizations also must make sure they have up-to-date backups that are available outside their network, he stresses. "You should have an incident response plan in place and one that is regularly exercised and updated," he adds.
The Risks of Paying a Ransom
Although paying a ransom may seem like the fast and easy way out, it may not result in decryption of data that was encrypted by attackers, he warns.
"Paying ransom - and I can imagine situations where a healthcare provider would want to pay - is never a good idea for many reasons," he says. "It encourages more ransomware attacks. And there is not a guarantee that paying will get your data back. We've also seen organizations pay the requested ransom and as soon as that is paid, the ransom goes up."
Max Henderson, senior security analyst and incident response lead at security consulting firm Pondurance, offers a similar perspective. "Paying the ransom further motivates the adversaries to continue their attacks and also motivates other threat groups to alter their payloads to a ransomware approach."
The most common entry point of ransomware in recent breaches has been email attachments, Henderson notes. To mitigate the risk, he recommends "honing in on available email filtering options, implementing a next-generation endpoint detection and response platform and ensuring that proper segmentation and access control is managed within the environment."
Criminals Are Patient
Henderson notes that cybercriminal organizations that deploy ransomware have become increasingly patient with their approaches.
"In recent investigations, we have seen unauthorized access transpire for over a month before deploying ransomware," he says. "The apparent underlying cause for this is that these actors are carefully and methodically mapping out the network to identify critical servers. As a result, the actors are becoming increasingly successful at maximizing impact, including the identification and removal of backup files."
While there's a plethora of ransomware authors whose payloads end up as "a flash in the pan," Henderson says, some emerging, organized groups with payloads such as BitPaymer, iEncrypt, and Sodinokibi "are becoming an increasing threat to the healthcare sector. These organized groups are continuing to rake in payments, thus motivating their efforts against organizations that are likely to pay, which includes the healthcare sector."