2016: Hospitals targeted with Ransomware, patients harmed, losses incurred

One after another, Eagle’s clients have told their stories of ransomware infections during the last year.  After becoming a victim, the response is typical – these organizations recognize that attacks could occur again, with impacts even more severe, and invest both in safeguards to prevent future attacks and protections to mitigate the impact should they occur.  Ransomware attacks are rampant throughout the healthcare industry, affecting a high percentage of organizations.

A key part of the HIPAA Security Risk Analysis is to recognize the scope and breadth of the ransomware threat, as well as the impact that it can have.  So we offer these case studies of hospitals around the country whose systems have been crippled, resulting in compromise of patient care and safety, revenue loss, reputation damage, cash flow delays, staff productivity loss, huge costs for forensic computing specialists and IT costs.  Here are some of the cases that have filled our email inboxes during 2016:

Titus Regional Medical Center.  This Mount Pleasant, Texas hospital was hit with an attack on about 7:30PM on Friday, Jan 15.  TRMC public information officer Shannon Norfleet said that ransomware encrypted files on several database servers.  “We couldn’t get to our data,” she said.  “The virus primarily impacted the ability for electronic medical records entry and retrieval, as well as the integration and coordination of interdepartmental orders (laboratory, pharmacy, imaging, etc.)” Norfleet said.  TRMC used runners to transfer information.  On Monday, January 25, CEO John Allen reported “we have restored functionality to our core electronic medical record system over the weekend.”  Hospital systems were down for 10 days.  No ransom was paid.

 

Hollywood Presbyterian Medical Center.  Located in Hollywood, CA, this institution was hit on Feb 5, the first big hit of 2016.  They acknowledged paying $17,000 in ransom to gain access to their data, 3 days after the attack.  CEO Allen Stefanek defended paying the ransom as “the quickest and most efficient way to restore our systems and administration functions. . .”  While systems were down, records were maintained with pen and paper.  He further said that patient care was never compromised, nor medical records.  This case would be the first of many multiple cases throughout 2016 where hospitals paid crooks in ransomware attacks.

Lukas Hospital.  While the USA has the highest per-capita volume of attacks, ransomware is a worldwide problem.  On February 10, Lukas Hospital in Neuss, Germany was hit with the TeslaCrypt 2.0 ransomware.  The attack impacted access to imaging systems and email according to hospital spokesperson Dr. Andreas Kremer.  While systems were shut down, staff used pen and paper, faxes and the telephone.  Approximately 20% of surgeries were postponed or diverted, and the hospital reduced emergency services for a few days, “because providing emergency care needs a fast system and we could not provide that.  Working through our 700 computers is still ongoing, meanwhile many work stations got completely new hardware and the old devices were disposed of appropriately,” continued Kremer who described the remediation.

Methodist Hospital.  On Friday, March 18, Methodist Hospital of Henderson, Kentucky was hit with the “Locky” strain of ransomware via email.  The hospital placed a scrolling red alert on its homepage stating that “Methodist Hospital is currently working in an Internal State of Emergency.”  After the initial infection the ransomware spread and succeeded in compromising other systems.  The hospital shut down all systems and reverted to manual systems.  After five days of downtime, hospital officials stated that they had recovered without paying the $1,656 ransom demand.

 

Prime Healthcare Services.  Starting March 21, three of Prime Healthcare’s hospitals – Desert Valley Hospital, Chino Valley Medical Center, and Alvarado Hospital Medical center were forced to shut down their systems.  Radiology and “other ancillary services” were down for several days.  Prime recovered without paying ransom.

 

MedStar Health.  Early in the morning on Monday, March 28, this Washington, DC area health system was hit with ransomware.  Several of its hospitals were affected.  “MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization,” spokeswoman Ann Nickels said in a statement.  “Even the lowest-level staff can’t communicate with anyone.  You can’t schedule patients, you can’t access records, you can’t do anything,” said one employee who requested anonymity.  A physician at another facility said the ransomware created a “patient safety issue.”  A nurse told the Washington Post that the paper charts used can be missing vital pieces of patient information.   MedStar acknowledged that treatments were delayed and that patients were turned away.

Kansas Heart Hospital.  This specialty hospital in Wichita fell victim to a ransomware attack on May 18.  While full details are not available, according to the hospital president Dr. Greg Duick, the ransomware quickly “became widespread throughout the institution.” The hospital initially paid the ransom – but the attackers refused to provide the decryption key and demanded more money.  The hospital then began the process of restoring from backups.  Limited information is available about the outcome or full impact of the incident, including the amount of ransom paid.

 

Appalachian Regional Healthcare.  This health system operates 10 hospitals across eastern Kentucky and south West Virginia, as well as retail pharmacies, home health agencies and physician practices.  On August 27 the cyberattack forced the health system shut down the entire computer network – all locations –  for 3 weeks.  While the hospital functioned manually with limited capacity, it diverted patients to other facilities.  While it is widely believed that ransomware was involved, citing an ongoing investigation, neither the organization nor the FBI has confirmed the details.

 

The takeaway – the crooks who perpetrate ransomware have unleashed a destructive force with malware that continues to evolve and threaten healthcare organizations.  The impact on hospitals who are hit with an attack has been staggering – days or weeks of downtime, patient safety compromised, patients turned away with commensurate revenue loss, cash flow delays due to lack of billing, staff frustration, major IT costs from the necessary forensic consulting expertise and damage to the reputation.   For those who have avoided a significant ransomware attack, these case studies are important to help understand the potential impact of a major attack.   The steady drumbeat of new ransomware victims also provides clues regarding the likelihood of attack – high.  For techniques and strategies that can prevent ransomware in the first place, and reduce the impact if you are infected, see Preventing and Mitigating Ransomware Attacks.