Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Healthcare Organizations Mopping Up After Cyberattacks
Ohio Entity Admits 'Negotiating' With Attackers; Nevada System Says Breach Affected 1.3 MillionTwo large healthcare systems - one in Ohio and another in Nevada - continue to mop up after recent cyberattacks apparently involving ransomware.
See Also: Gartner Market Guide for DFIR Retainer Services
Memorial Health System, based in Marietta, Ohio, says it's continuing to restore its IT systems after reaching a "negotiated solution" last week following an Aug. 15 cyberattack. The incident had forced the organization to suspend user access to applications related to its operations and divert emergency care patients from three of its hospitals to other area facilities.
Meanwhile, Las Vegas-based University Medical Center of Southern Nevada recently reported to federal regulators that a cyberattack detected in June had affected 1.3 million individuals.
The UMCSN hacking incident - which also apparently involved ransomware - is the seventh-largest breach added so far this year to the Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Memorial Health System Recovery
On Aug. 16, Memorial Health System revealed that the previous morning it had detected a security incident that prompted the organization to divert emergency care patients from three of its hospitals to other area facilities.
A Memorial Health System spokeswoman told Information Security Media Group on Monday that "a settlement was negotiated with a decryption key being provided" by attackers involved in the incident. "We are maintaining the settlement amount as confidential," she says.
The organization's digital forensic and incident response team is investigating whether patient, employee or other information was stolen or exfiltrated in the attack, she says.
News site Bleeping Computer reported on Aug. 16 that it had seen evidence that the Memorial Health System incident involved the Hive ransomware gang.
"The FBI believes the threat actor is Hive," the Memorial Health System spokeswoman confirmed to ISMG.
In an Aug. 18 statement posted on its website, Memorial Health System noted that following the "negotiated solution," it was beginning the process of restoring systems.
"We are following a deliberate, systematic approach to bring systems back online securely and in a manner that prioritizes our ability to provide patient care. This could happen as early as Sunday," Scott Cantley, Memorial Health System president and CEO, said in the Aug. 18 statement.
Offering an update, the Memorial Health System spokeswoman told ISMG on Monday that the organization's systems "are being actively restored with full functionality expected any day now." Additionally, Memorial Health System is no longer postponing or diverting care, she said.
Under Pressure
"Ransomed hospitals are under immense pressure to resolve the problem as quickly as possible," says threat analyst Brett Callow of security firm Emsisoft.
"Unfortunately, paying the demand doesn’t guarantee that will happen as the slow and buggy decryptors the attackers provide can make the recovery process even longer than it would otherwise be," he says. "Plus, of course, paying the ransom is a far from ideal solution as it simply means that cybercriminals continue to become better resourced and more motivated."
Memorial Health System in its Aug. 18 statement said it "will continue to focus on remediation technology that will be added to already intensive security systems. We continue to implement enhancements to our information security, systems, and monitoring capabilities."
The Memorial Health spokeswoman added: "Our IT team is working with leading cybersecurity companies to determine what we’ll add to our systems moving forward."
UMCSN Update
Meanwhile, UMCSN in a July 31 breach notification statement says that information gathered by investigators thus far showed that a compromise began on June 14, "and UMC was able to end the compromise on June 15."
The Las Vegas Review-Journal reported on June 30 that UMC issued a statement acknowledging it had been the victim of a cyberattack after the newspaper viewed images posted on the REvil ransomware gang website.
The Nevada medical center on Monday did not immediately respond to ISMG's request for additional details regarding the apparent ransomware incident involving REvil.
A UMCSN spokesman told ISMG on July 1 that there had been no disruptions to patient care or the medical center's clinical systems as a result of the cyberattack.
In a notification statement posted on its website, UMCSN says that the hospital’s IT experts determined that certain files on its network servers were compromised during the incident.
The information contained in the compromised files included individuals' names, addresses, dates of birth, Social Security Numbers and clinical information, such as history, diagnosis and test results. Financial information, such as insurance numbers, also may have been included in the files, UMCSN said.
UMCSN notified the FBI and the Las Vegas Metropolitan Police Department about the incident. The Nevada medical center says it has launched a number of security initiatives, including working closely with external cybersecurity professionals and updating internal and external technology solutions to further safeguard the medical center against cyberattacks.