• Jules Vergara, CTO

A Postmortem Exam of a Cyber Attack

Updated: Oct 19, 2020

Here is a high-level overview of an Oral and Maxillofacial Surgery (OMS) practice that was hit by a ransomware cyberattack, leaving them crippled and resulting in a tremendous loss of data.

Practice Background:

A four location OMS practice with approximately 60 computers connected via a VPN.

IT Background:

  • Full-time IT staff

  • High-end enterprise firewalls at each location

  • Running a dedicated OMS software solution with 2D and 3D digital radiography shared across all locations

The Event:

In July 2017, the practice noticed that something was wrong with their network. All of a sudden their files became inaccessible. They were hit by a ransomware attack. Within a few minutes, the ransomware had spread through their VPN (virtual private network) and impacted every computer and server, leaving them completely down. The practice lost all their attachments and X-rays. An attempt to restore their images and attachments from remote storage failed.

Systems Impacted:

  • Practice Management Software

  • Imaging - 2D and 3D

  • Insurance Claim Processing due to the loss of attachments

Initial Forensic Findings:

An initial forensic analysis determined the hackers first found an open Remote Desktop Protocol (RDP) port. Once they gained access through the RDP port, a weak password enabled them to actively inject the ransomware into the network. This gave the attackers complete access to the network. The hackers asked for an exorbitant amount of money for the key to decrypt the data. Law enforcement advised against paying. A full forensics exam is currently underway.

The Breach Remediation Process:

  • A major IT initiative was required to bring the system back online

  • Data recovery attempt

  • FBI and State Police Notification

  • A security review and implementation of new policies and procedures

  • Contact made with malpractice carrier regarding breach

  • Assigned an attorney by the insurance carrier

  • Notification to all patients via 1st class mail

  • Notification in local newspapers

  • Notification on the practice's website

  • Identity theft monitoring

  • Set up a call center for 90 days for patients to have access to information regarding the breach

  • Notification to Health and Human Services and the Office of Civil Rights

  • Ongoing security enhancements and system hardening

  • Employee cybersecurity training

  • Vulnerability Scanning

  • Penetration Testing

  • PR damage control

The Take-Away

1. Don't assume that just because you have a good IT company or full-time staff that your security is where it needs to be. It takes a company who specializes in cybersecurity to thoroughly evaluate and secure your infrastructure. It also makes logical sense to have a third party validate your security instead of the company handling your IT. Self validation is very risky. A small mistake on a network configuration can be a disaster. Third party validation is standard operating procedure for all businesses.

2. Under the HIPAA Security Rule, you must train your staff on cybersecurity threats. Make sure you engage a company that specializes in cybersecurity training.

3. Don't take cybersecurity lightly. A breach or ransomware is more impactful than you realize. The financial and emotional toll on you and your staff is significant. The amount of time required to recover is great and takes away from you treating patients.

4. Don't think it can't happen to you. Hackers are going after small businesses as well as healthcare entities because they know they have weak defenses. It is very easy to find your information online and exploit your practice based on public information.

5. If you do get hit, you must immediately consult with an attorney. Failure to report the breach can result in significant penalties and under most circumstances is a violation of federal and sometimes state laws.

6. Make sure you have a viable backup that has been restored and tested to validate its data integrity.

Black Talon Security Logo

525 views0 comments