A Postmortem On A Cyber Attack
Here is a high-level overview of an OMS practice that was hit by a Rasomware cyber attack, leaving them crippled and resulting in a tremendous loss of data.
A four location OMS practice with approximately 60 computers connected via a VPN.
Full-time IT staff
High-end enterprise firewalls at each location
Running a dedicated OMS software solution with 2D and 3D digital radiography shared across all locations.
In July 2017, the practice noticed that something was wrong with their network. All of a sudden their files became inaccessible. They were hit by a Ransomware attack. Within a few minutes, the Ransomware had spread through their VPN (virtual private network) and impacted every computer and server. Leaving them completely down. The practice lost all their attachments and x-rays. An attempt to restore their images and attachments from remote storage failed.
Practice Management Software
Imaging - 2D and 3D
Insurance Claim Processing due to the loss of attachments.
Initial Forensic Findings:
An initial forensic analysis determined the hackers first found an open Remote Desktop Protocol (RDP) port. Once they gained access through the RDP port, a weak password enabled them to actively inject the ranswomware into the network. This gave the attackers complete access to the network. The hackers asked for an exorbitant amount of money for the key to decrypt the data. Law enforcement advised against paying. A full forensics exam is currently underway.
The Breach Remediation Process:
A major IT initiative was required to bring the system back online
Data recovery attempt
FBI and State Police Notification
A security review and implementation of new policies and procedures
Contact made with malpractice carrier regarding breach
Assigned an attorney by the insurance carrier
Notification to all patients via 1st class mail
Notification in local newspapers
Notification on the practice's Web Site
Identity theft monitoring
Setup a call center for 90 days for patients to have access to information regarding the breach
Notification to Health and Human Services and the Office of Civil Rights
Ongoing security enhancements and system hardening
Employee Cyber Security training
PR damage control
1. Don't assume that just because you have a good IT company or full-time staff that your security is where it needs to be. It takes a company who specializes in Cyber Security to thoroughly evaluate and secure your infrastructure. It also makes logical sense to have a 3rd party validate your security instead of the company handling your IT. Self validation is very risky. A small mistake on a network configuration can be a disaster. 3rd party validation is standard operating procedure for all businesses.
2. Under the HIPAA Security Rule, you must train your staff on Cyber Security threats. Make sure you engage a company that specializes in Cyber Security training.
3. Don't take cyber security lightly. A breach or Ransomware is more impactful then you realize. The financial and emotional toll on you and your staff is significant. The amount of time required to recover is great and takes away from you treating patients.
4. Don't think it can't happen to you. Hackers are going after small businesses as well as healthcare entities because they know they have weak defenses. It is very easy to find your information online and exploit your practice based on public information.
5. If you do get hit, you must immediately consult with an attorney. Failure to report the breach can result in significant penalties and under most circumstances is a violation of federal and sometimes state laws.
6. Make sure you have a viable backup that has been restored and tested to validate it's data integrity.