Hospital Diverts Ambulances Due to Ransomware AttackLatest Cyber Incident Spotlights Impact on Patient Care
A ransomware attack forced a Missouri county medical center to divert ambulances carrying trauma and stroke patients to other facilities as the critical access hospital continues to recover.
The ransomware attack Monday impacted the enterprise IT infrastructure, including the electronic health records system, at Harrisonville, Mo.-based Cass Regional Medical Center, which includes 35 inpatient beds and several outpatient clinics, a spokeswoman tells Information Security Media Group.
As of Wednesday morning, about 70 percent of Cass' affected systems were restored, she says. Except for diverting urgent stroke and trauma patients to other hospitals "out of precaution," Cass Regional has continued to provide inpatient and outpatient services for less urgent situations as it recovers from the attack, she says.
"We've gone to our downtime processes," she says, which include resorting to the use of paper records while the hospital's Meditech EHR system is offline during the restoration and forensics investigation, she says.
The hospital is working with an unnamed international computer forensics firm to decrypt data in its systems, she adds, declining to disclose the type of ransomware involved in the attack or whether the hospital paid a ransom to obtain a decryption key from extortionists.
Another Wake-Up Call
The incident serves as yet another warning about the potential disruption that cyberattacks, including those involving ransomware, pose to the delivery of patient care and other services.
"This is a perfect example of how cybersecurity breaches and incidents can have a very real physical safety and patient health negative impact."
— Rebecca Herold
"This is a perfect example of how cybersecurity breaches and incidents can have a very real physical safety and patient health negative impact," says Rebecca Herold, president of Simbus, a privacy and cloud security services firm, and CEO of The Privacy Professor consultancy.
"I've found this is a point that most doctors, nurses and other types of caregivers can relate most closely to, and have also seen this realization result in them - finally - supporting more and stronger cybersecurity controls within their facilities and systems."
Cass Regional is just one of many healthcare entities to have a cyberattack impact patient care delivery. For instance, in 2016, MedStar Health, a 10-hospital system serving Maryland and the Washington area, was forced to shut down many of its systems to avoid the spread of malware. The attack forced the healthcare organization to temporarily resort to paper records, disrupting some patient appointments.
In a Monday statement, Cass Regional says the medical center became aware of a ransomware attack on its information technology infrastructure at around 11 a.m. that day.
"Affected areas include internal communication systems and access to the organization's EHR," the statement says. Cass Regional says that so far, it has not seen evidence that patient data has been compromised, "but as an extra precaution, Meditech, the hospital's EHR vendor, has opted to shut down the system until the attack is resolved."
Hospital leadership initiated the organization's incident response protocol within 30 minutes of the first signs of attack, the statement says.
"Patient care managers met to develop detailed plans to ensure that patient care continued to be provided in a safe and effective manner, while information technology and senior leaders are working with law enforcement and cybersecurity experts to develop a quick resolution to the situation," the statement says.
"We are deploying every resource available to us to resolve this situation quickly so we can resume normal operations," Cass Regional Medical Center CEO Chris Lang says in the statement.
As of Wednesday, the U.S. Department of Health and Human Services' Office for Civil Rights' HIPAA Breach Reporting Tool website - commonly called the "wall of shame" - shows a total of 2,366 breaches impacting nearly 263.7 million individuals reported since 2009. Of those, 28 incidents affecting a total of about 194,000 individuals are listed as involving ransomware, according to a spreadsheet available on the wall of shame website.
Despite OCR guidance issued in 2016 saying that in most cases, ransomware attacks result in breaches that are reportable under HIPAA, some experts say ransomware attacks are likely being underreported on the OCR tally.
For example, the Medstar incident is not listed as a breach on the wall of shame. And the Cass Regional spokeswoman says evidence so far does not indicate the ransomware attack on the medical center has resulted in a reportable HIPAA breach.
But Herold contends that many ransomware incidents aren't being correctly assessed for whether they're reportable breaches.
"'Lack of evidence' does not mean that it is not a HIPAA breach," Herold says. "A large portion of privacy breaches leave no evidence. That is a disingenuous statement for the hospital to make. It is used too often and shows a disrespect for those whose PHI may have actually been breached.
"The fact is, if a cybercrook accessed clear text or unencrypted PHI to encrypt it, they had access to the PHI, and they could have, and in growing cases do, take copies to have for further extortion attempts at a later date, as well as to sell on the dark web."
Smaller Hospitals More at Risk?
Criminals who use ransomware as one of their tools will go after any type of organization of any size, Herold notes. Smaller hospitals and healthcare organizations, however, appear more vulnerable to these kinds of attacks, she adds.
"Small to midsized hospitals and other healthcare providers have consistently demonstrated a lack of having sufficient information security controls implemented over the past two decades," she says.
Keith Fricke, principle consultant at tw-Security, offers a similar perspective. "Smaller hospitals may be more susceptible to ransomware attacks than larger hospitals, based on the likelihood of having smaller budgets for technology investments that provide protective or detection capabilities," he says.
"Smaller budgets and smaller IT staff sizes may make it challenging for smaller hospitals to invest in tools to conduct internal phishing campaigns, which can raise awareness about phishing. This is important because phishing is the primary means by which criminals cause ransomware infections."
Cass Regional's decision to have ambulances carrying patients with certain urgent medical emergencies diverted to other hospitals also highlights the importance of including cyber events, such as ransomware attacks, as part of healthcare organizations' disaster and incident response plans.
"Ransomware is a significant threat to every type of organization, and the unique impacts of a successful ransomware attack must be considered and defended against," Herold says.
Fricke says simulating a ransomware event as a tabletop drill provides insight into an organization's response capability. "It serves as an incident response exercise as well as a disaster recovery exercise," he notes.
Steps to Take
All healthcare providers must have disaster recovery and business continuity procedures "established, tested and ready to go when an actual event occurs," Herold says.
At a bare minimum, she adds, the following processes should be in place:
- Make frequent backups - at least daily, and more often for critical data;
- Keep multiple generations of secured backups so the entity is not dependent upon one, which may be corrupted in some way;
- Occasionally test the backups to ensure they will be able to be successfully restored;
- Document all these processes within formal disaster recovery and business continuity procedures;
- Establish a DR/BCP team, train the team on the procedures and regularly meet to review the procedures;
- Provide ransomware awareness training to all employees so they can see the red flags for potential ransomware attacks;
- Keep all systems patched and updated;
- Run up-to-date anti-malware tools.
Fricke suggests additional steps to prevent becoming a victim of ransomware.
"If possible, blocking email from foreign countries can help. Some next-generation firewalls and endpoint protection solutions can detect and prevent some ransomware variants based on either signature-based or behavior-based capabilities."