• Jules Vergara, CTO

A Postmortem On A Cyber Attack

Here is a high-level overview of an OMS practice that was hit by a Rasomware cyber attack, leaving them crippled and resulting in a tremendous loss of data.

Practice Background:

A four location OMS practice with approximately 60 computers connected via a VPN.

IT Background:

  • Full-time IT staff

  • High-end enterprise firewalls at each location

  • Running a dedicated OMS software solution with 2D and 3D digital radiography shared across all locations.

The Event:

In July 2017, the practice noticed that something was wrong with their network. All of a sudden their files became inaccessible. They were hit by a Ransomware attack. Within a few minutes, the Ransomware had spread through their VPN (virtual private network) and impacted every computer and server. Leaving them completely down. The practice lost all their attachments and x-rays. An attempt to restore their images and attachments from remote storage failed.

Systems Impacted:

  • Practice Management Software

  • Imaging - 2D and 3D

  • Insurance Claim Processing due to the loss of attachments.

Initial Forensic Findings:

An initial forensic analysis determined the hackers first found an open Remote Desktop Protocol (RDP) port. Once they gained access through the RDP port, a weak password enabled them to actively inject the ranswomware into the network. This gave the attackers complete access to the network. The hackers asked for an exorbitant amount of money for the key to decrypt the data. Law enforcement advised against paying. A full forensics exam is currently underway.

The Breach Remediation Process:

  • A major IT initiative was required to bring the system back online

  • Data recovery attempt

  • FBI and State Police Notification

  • A security review and implementation of new policies and procedures

  • Contact made with malpractice carrier regarding breach

  • Assigned an attorney by the insurance carrier

  • Notification to all patients via 1st class mail

  • Notification in local newspapers

  • Notification on the practice's Web Site

  • Identity theft monitoring

  • Setup a call center for 90 days for patients to have access to information regarding the breach

  • Notification to Health and Human Services and the Office of Civil Rights

  • Ongoing security enhancements and system hardening

  • Employee Cyber Security training

  • Vulnerability Scanning

  • Penetration Testing

  • PR damage control

The Take-Away

1. Don't assume that just because you have a good IT company or full-time staff that your security is where it needs to be. It takes a company who specializes in Cyber Security to thoroughly evaluate and secure your infrastructure. It also makes logical sense to have a 3rd party validate your security instead of the company handling your IT. Self validation is very risky. A small mistake on a network configuration can be a disaster. 3rd party validation is standard operating procedure for all businesses.

2. Under the HIPAA Security Rule, you must train your staff on Cyber Security threats. Make sure you engage a company that specializes in Cyber Security training.

3. Don't take cyber security lightly. A breach or Ransomware is more impactful then you realize. The financial and emotional toll on you and your staff is significant. The amount of time required to recover is great and takes away from you treating patients.

4. Don't think it can't happen to you. Hackers are going after small businesses as well as healthcare entities because they know they have weak defenses. It is very easy to find your information online and exploit your practice based on public information.

5. If you do get hit, you must immediately consult with an attorney. Failure to report the breach can result in significant penalties and under most circumstances is a violation of federal and sometimes state laws.

6. Make sure you have a viable backup that has been restored and tested to validate it's data integrity.


Follow us at:

Cyber Prevention | Breach Response | Forensic Investigation | Cybersecurity Awareness Training

© 2020 Black Talon Security, LLC.  All rights reserved | 2875 Route 35 | Katonah, NY 10536 | 800-683-3797