Healthcare IT Systems: Tempting Targets for Ransomware

Well, there’s no use in waiting, I suppose. Two Thursdays ago, Chicago-based electronic health records provider Allscripts Healthcare Solutions suffered a ransomware attack that paralyzed some of its services. This past Friday, the company announced it had completely recovered from the cyberattack. But not before a class action lawsuit [pdf] was filed against it by an orthopedic non-surgery practice for failing to secure its systems and data from a well-known cybersecurity threat, i.e., a strain of SamSam.

The ransomware attack impaired Allscripts’ data centers in Raleigh and Charlotte, North Carolina, affecting a number of applications, such as its Professional EHR and Electronic Prescriptions for Controlled Substances (EPCS) hosted services, which were mostly restored within five days, according to the company. Other services, like clinical decision support, analytics, data extraction, and regulatory reporting, took the longest to make operational again.

Allscripts tried to play down the impact of the loss of services, saying that only about 1,500 out of the 45,000 physician practices it serves were impacted; “none were hospitals or large independent physician practices”; and no patient data was taken.

How Not to Keep Clients

Needless to say, Allscripts’ statement, as well as a lack of immediately available information angered those small physician practices that were greatly disrupted by the attack. From their perspective, it seemed as though Allscripts didn’t think their problems were very important. Many physician practices reported having to shut down or cancel tests and surgeries, leading to major revenue losses. I expect many of these smaller physician offices will be reconsidering their contracts with Allscripts when their renewal times come up, as well as possibly filing lawsuits of their own.

Allscripts’ clients weren’t the only healthcare providers hit by the same ransomware recently. The Adams Health Network, based in Decatur, Indiana, was struck by such an attack on 11 January, as was Hancock Health in Greenfield, Indiana. Hancock Health decided to pay the ransom of 4 bitcoins, or about $47,000, to regain access to its patient medical files and company emails.

The hospital decided that paying was cheaper and less disruptive than rebuilding its IT systems. The hospital’s senior vice president and chief strategy officer said, “The amount of the ransom was reasonable in respect to the cost of continuing down time and not being able to care for patients.” It will be interesting to see how long it will be before Hancock Health is hit again, now that a public price for its data has been set.

Norway is also reeling from a likely cyber intrusion into a major healthcare network. According to news reports, the IT systems of Helse Sør-Øst RHF (Health South-East RHF), the health organization which provides healthcare to some 2.9 million of the 5.2 million residents of Norway, were possibly breached on 8 January. The attacker was described as “an advanced and professional player.” There is some speculation that the cyber-attack was related to a NATO exercise scheduled for October called Trident Juncture. That hypothesis stems from the fact that healthcare information related to Norway’s military was specifically targeted.

Exactly what patient information was taken is not known at this time. What is known, however, is that Norway did not follow the EU General Data Protection Regulation mandate to disclose the data breach within 72 hours of it being discovered. The breach wasn’t reported until 15 January, a week after suspicious activity was found on the Health South-East RHF’s networks.

Healthcare IT Systems:  Ransomware Target of Choice

While the Norway cyber intrusion doesn’t appear to involve ransomware, these types of attacks against healthcare systems have been going on for quite some time. (The first known ransomware event happened in 1989 and it was against healthcare systems.) The advent of widespread EHR systems, a lack of IT security expertise, and a plethora of legacy systems existing in the healthcare industry have made them a very tempting target. If fact, some 88 percent of ransomware attacks are reportedly against hospital systems. That number could actually be higher, considering that many have likely gone unreported.

The global WannaCry ransomware attack that hit hospitals across the UK last May shows why. A National Audit Office report [pdf] into the attack indicated that there was a lack of urgency at NHS trusts to secure their IT systems, even though they were known to be vulnerable. The report stated that “relatively simple action(s)” could have prevented the attack from causing 19,000 National Health Service appointments, including surgeries, to be cancelled between 12 and 19 May. All the affected NHS trusts had unpatched or unsupported Windows operating systems, as well as poorly managed firewalls, the NAO report stated.

As impactful as it was, the UK government cyber security group rated the NHS ransomware attack last year a category 2 (C2) level attack, meaning it was a significant incident requiring coordinated cross-government response, and a public-government response. Last week, Ciaran Martin, the head of the UK’s National Cyber Security Centre warned again that a category 1 (C1) level attack [pdf]—an attack on the nation’s infrastructure that causes serious damage to human welfare or national economic cost—was not a matter of if, but when. Martin said that such an event would occur probably within the next two years.

Martin also implied that ignoring “relatively simple actions” will make the consequences of whatever attack eventually takes place, much, much worse. Whether anyone in the UK pays heed to Martin’s warning is another question.