During December, 2017, Eagle Consulting received an inquiry from a small medical practice that lost its entire electronic record database in an attack from the Hermes ransomware. By the time the practice became aware of the attack, the damaged database overwrote the only available backup. Eagle Consulting provided support for the HIPAA-mandated investigation and response to this security incident.
Ransomware is a form of malware that holds computer files hostage (by encrypting them with strong encryption) unless a ransom is paid. Simply paying the ransom is discouraged because the victim often does not get his files back, and payment reinforces ransomware as an effective criminal business model.
All modern EHR systems are built using an underlying database management system (DBMS). Typically, the DBMS provides a level of protection against ransomware because the DBMS process, for example, Microsoft SQL Server, maintains exclusive access to the database. This locks the database files and prevents the ransomware from gaining access.
This particular practice used a backup scheme which automatically shut down the DBMS process at 10:00PM each night (when no one is using the system) to perform the backup. It was while the database was shut down that the ransomware was able to gain access to the database files and encrypt them. Then, the backup process started and backed up the scrambled (encrypted) database, destroying the only good backup. (It is not uncommon for small practice backups to first shut down the database to perform a backup.)
This case illustrates the importance of two key mitigation measures:
- Maintain multiple generations of backup. For example, 10 generations would keep a daily backup of Monday – Friday backups for two weeks. It is not uncommon that staff will require one, two or even more days to discover a date integrity problem. Had this practice maintained even two generations of backup, a recent copy would have been available.
- Protect backups. If backup files are readily available on a computer network, the ransomware can encrypt the backup files. Ensure that backup files are protected. Two ways to protect backups include sending them to a 3rd party cloud backup service or saving them on removable media which is detached from the network.
Please see our post Preventing and Mitigating Ransomware Attacks for a full list of best-practice measures to protect your organization.