Following a ransomware attack on Indiana-based organization Hancock Health last Thursday, staff at the hospital had no choice but to move to using pen and paper to detail patient health information, while IT staff made efforts to obstruct the attack and regain access to encrypted files.
The attack started around 9.30pm on Thursday night when files on its network started to be encrypted. The attack initially caused the network to run slowly, with ransom notes appearing on screens indicating files had been encrypted. The IT team responded rapidly and started shutting down the network to limit the extent of the attack and a third-party incident response firm was called upon to help mitigate the attack.
An attack such as this can cause major disruption to patient services, although Hancock Health commented that patient services were unaffected and appointments and operations went on as normal.
A review of the attack uncovered no proof to suggest any patient health information was stolen by the hacker(s). The aim of the attack was mainly to cause disruption and lock files to pressurize the hospital to pay a ransom to rescue its files.
A report published in the Greenfield Reporter said that the attack involved a variant of ransomware called SamSam. The ransomware variant has been employed in numerous attacks on healthcare groups in the United States over the past year. The unknown hacker(s) demanded a payment of 4 Bitcoin to hand over the keys to unlock the encryption.
As made obligatory under HIPAA, Hancock Health had completed backups and no data would have been lost due to the attack; however, the process of recovering files from backups takes a significant amount of time. The hospital would not have had access to files and information systems for many days – possibly even weeks – if backups were used to rescue data. On Saturday, the decision was taken to pay the ransom to rescue the files.
The decision to pay the ransom was not taken following much consideration. While patient services were not damaged, restoring files from backups would almost certainly have affected patients and paying the ransom was thought to be the best option to avoid disruption. The keys to remove the encryption were supplied within two hours of the ransom being paid and the network was returned online on Sunday.
Usually, these attacks occur due to employees responding to phishing emails or visiting malicious websites, although Hancock Health says this particular attack was not caused by a staff member responding to a phishing email.
The attack was very refined. “This was not a 15-year-old kid sitting in his mother’s basement,” stated Hancock Health CEO Steve Long.
Hancock Health has now put in place software that can detect atypical network activity indicative of an intrusion or ransomware attempt, which will allow speedy action to be taken to block, and minimize the severity, of any more attacks. Hancock Health is working with national law enforcement agencies to learn more about the hacking incident.