A Postmortem Exam of a Cyber Attack
Updated: Oct 19, 2020
Here is a high-level overview of an Oral and Maxillofacial Surgery (OMS) practice that was hit by a ransomware cyberattack, leaving them crippled and resulting in a tremendous loss of data.
A four location OMS practice with approximately 60 computers connected via a VPN.
Full-time IT staff
High-end enterprise firewalls at each location
Running a dedicated OMS software solution with 2D and 3D digital radiography shared across all locations
In July 2017, the practice noticed that something was wrong with their network. All of a sudden their files became inaccessible. They were hit by a ransomware attack. Within a few minutes, the ransomware had spread through their VPN (virtual private network) and impacted every computer and server, leaving them completely down. The practice lost all their attachments and X-rays. An attempt to restore their images and attachments from remote storage failed.
Practice Management Software
Imaging - 2D and 3D
Insurance Claim Processing due to the loss of attachments
Initial Forensic Findings:
An initial forensic analysis determined the hackers first found an open Remote Desktop Protocol (RDP) port. Once they gained access through the RDP port, a weak password enabled them to actively inject the ransomware into the network. This gave the attackers complete access to the network. The hackers asked for an exorbitant amount of money for the key to decrypt the data. Law enforcement advised against paying. A full forensics exam is currently underway.
The Breach Remediation Process:
A major IT initiative was required to bring the system back online
Data recovery attempt
FBI and State Police Notification
A security review and implementation of new policies and procedures
Contact made with malpractice carrier regarding breach
Assigned an attorney by the insurance carrier
Notification to all patients via 1st class mail
Notification in local newspapers
Notification on the practice's website
Identity theft monitoring
Set up a call center for 90 days for patients to have access to information regarding the breach
Notification to Health and Human Services and the Office of Civil Rights
Ongoing security enhancements and system hardening
Employee cybersecurity training
PR damage control
1. Don't assume that just because you have a good IT company or full-time staff that your security is where it needs to be. It takes a company who specializes in cybersecurity to thoroughly evaluate and secure your infrastructure. It also makes logical sense to have a third party validate your security instead of the company handling your IT. Self validation is very risky. A small mistake on a network configuration can be a disaster. Third party validation is standard operating procedure for all businesses.
2. Under the HIPAA Security Rule, you must train your staff on cybersecurity threats. Make sure you engage a company that specializes in cybersecurity training.
3. Don't take cybersecurity lightly. A breach or ransomware is more impactful than you realize. The financial and emotional toll on you and your staff is significant. The amount of time required to recover is great and takes away from you treating patients.
4. Don't think it can't happen to you. Hackers are going after small businesses as well as healthcare entities because they know they have weak defenses. It is very easy to find your information online and exploit your practice based on public information.
5. If you do get hit, you must immediately consult with an attorney. Failure to report the breach can result in significant penalties and under most circumstances is a violation of federal and sometimes state laws.
6. Make sure you have a viable backup that has been restored and tested to validate its data integrity.