It seems we can’t go more than a couple of days without seeing ransomware in the headlines. New attacks launched, new variants discovered, new victims reporting their losses. Despite the prevalent coverage of ransomware, there are a number of significant attacks that are not widely reported. As an example of this, here are three low-key ransomware attacks on health care related industries around the United States. There’s something to learn from each one, and something to learn from the whole set.
This company supplies home medical equipment such as oxygen therapy devices and mobility aids. On April 18 the company discovered a ransomware attack shortly after it started. Airway Oxygen notified current and former patients and employees that their data may have been compromised. Affected records include names, addresses, birthdates, telephone numbers, diagnoses, insurance policy numbers, types of service and some Social Security numbers. The ransomware encrypted some of the data, and company representatives believe that some data was stolen.
In response to the attack, the company disclosed quite a bit of information:
The notification letter includes an expansive Q&A covering who was responsible for the breach, how it was discovered, how long hackers were in the system, if the hack could have been prevented, data that was stolen and whether anyone has been adversely affected, among other questions.
The company did not disclose whether they paid the ransom, or how much was demanded.
Lesson Learned: Airway Oxygen was widely praised for the candor in which it disclosed the attack. It did this without giving away information on its response to the attack. In short, the company went as far as possible to reassure the public without disclosing any information that might be used to stage a future attack.
Cove Medicine is a health care facility that provides a variety of services in family and sports medicine. They are located in Huntsville Alabama and provide services in their facility as well as nearby hospitals.
On April 14 the Cove Medicine computer system was infected by ransomware that encrypted the software that contains the medical records of the patients. These records contained “names, dates of birth, social security numbers, addresses, patient identification numbers, prescription information, diagnosis information, procedure information, and time and date of treatment.” Cove Medicine removed the ransomware and restored from backup. Because the backup was also partially encrypted, the last two years of patient notes were lost in this attack.
Cove Medicine notified the patients and created a response hotline for those who had concerns about the attack. The company also reported that a complete investigation into the system showed no signs of ransomware, data exfiltration, or other unauthorized access to the system. The company disclosed the attack and the details on June 13 2017, in this press release (pdf).
Lesson Learned: While they protected themselves from the worst possible scenario, Cove Medicine was not able to fully restore data because the backup was partially encrypted. This is an unfortunate event that happens too often. Data protection in the company includes protecting the backups from attack.
This company offers internal and family medicine specialists and an array of care services. On April 21, Cleveland Medical Associates (‘Cleveland’) discovered that its systems had been infected with ransomware. They found no evidence that patient data was compromised or exfiltrated, but they could not confirm that patient data had not been accessed.
In the patient notification letter, Cleveland identified specific steps that it had taken as a response:
· The FBI was notified and the crime reported
· An independent forensic investigator was retained to determine the extent of the damage
· Cleveland proactively offered patients with a credit watch service, as well as advised patients on specific steps to take to as a result of this incident.
The company did not disclose whether a ransom was paid, but they did report the implementation of a new medical records system. The details are in the patient notification letter here.
Lesson Learned: In the patient notification, Cleveland made the distinction between ransomware encryption, unauthorized access, and data exfiltration. This is an important distinction to remember. A ransomware attack could simply be a distraction to keep your staff busy while the attack surreptitiously copies data from your network. A medical record contains comprehensive information about your identity and medical history, so it’s a valuable piece of data for these thieves. Forbes recently reported that <href=”#580e458950cf”>an electronic medical record could be worth up to $1,000 on the black market.
There are a few things that are common to all of these organizations:
- They did not disclose details on their security or ransomware response, unless they were able to avoid paying ransom
- They all relied heavily on data recovery
- Attacks were followed by investigations into how the network was infected
- They expanded the investigation to look for evidence that data was exfiltrated from the network
- They acted according to the legal framework that applies to their industry
- They demonstrated a concern for their patients, customers, and other affected parties
While regulations like HIPAA played a role here, any organization concerned for its customers can benefit from this type of disclosure. While the notification process may be painful, there’s no better way to build trust than to show that you’ve earned it. Being as honest as possible without risking further attack is always appreciated by the public.
Data backup and recovery is critical to a successful ransomware recovery. If you have this in place, a ransomware attack will be a nuisance and may cost you some downtime, but your data will be protected. Remember to take measures to protect your data backups from the attacks that hit your network. Look into offsite replication to give yourself some extra protection.
These attacks also demonstrate that small businesses are not immune from costly attacks. Any company can be a victim of an untargeted attack. The best approach for any organization is to assume that it is being targeted for an advanced attack, and to secure itself accordingly.
Finally, keep in mind that most industries are exposed to some type of legal issue in the event of a successful network intrusion. Think about these legal ramifications as part of your security strategy. Will you need to have an attorney advise you on your response? Should your forensic investigations be conducted under attorney-client privilege? Knowing this ahead of time will help you stay in control of your business response to a successful attack.