[BreachExchange] MedStar official on cyberattack: 'We chose by design not to pay the ransomware'

[Audrey McNeil]

http://www.bizjournals.com/washington/blog/techflash/2016/07/medstar-official-on-ransomware-attack-we-chose-by.html

When MedStar Health officials discovered on a Sunday night in March that
hackers had infiltrated computer systems at one of three offsite locations
— the problem worsening despite efforts to stop it — the responsibility
fell to a midlevel director to make a quick call.

"He made the brave but per-the-protocol decision to shut every aspect of
MedStar Health's electronic medical record systems off," said Dr. Craig
DeAtley, the system's director of emergency preparedness. "So we found
ourselves as a health care system now without the daily computer-based
program software that drives everything from patient care to our biomedical
surveillance to our ordering equipment and supplies."

DeAtley spoke during a videotaped panel discussion last month with a U.S.
Department of Health and Human Services official from the Assistant
Secretary for Preparedness and Response. His comments were the first public
remarks by a MedStar Health official on the subject since the cyber attack,
which resulted in a shutdown of more than 370 computer systems.

"In our particular case, we chose by design not to pay the ransomware,"
DeAtley said. "It wasn't a ridiculous price. But we weren't trusting in
more ways than one. So we found ourselves involved now in a marathon."

Officials at MedStar declined to comment further and have previously
refused to acknowledge the attack even involved ransomware. DeAtley said
cyber attacks, such as ransomware attacks in which hackers lock up valuable
data and demand ransoms from organizations, are considered among the top
five concerns in the health system's threat assessment.

Here are some other highlights from DeAtley's comments:

1. Every hospital should expect this: That's true no matter how much work
is put into defenses. "Take it for granted and plan accordingly," DeAtley
said.

MedStar has already begun making changes, ensuring that its emergency
communications systems are totally separate from all other systems. Two
critical paging systems and the primary internet-based information sharing
system were lost during the outage.

And while DeAtley said the health system had already practiced what to do
in the event of an online shutdown, he suggested future training would be
broken down in a facility-specific manner.

"The approach we're taking is, 'If it happened once, what's to say it's not
going to happen again?'" he said. "The difference will be we'll be a whole
lot smarter in how we approach the myriad issues that can be associated
when you lose one program, or in our case hundreds of programs, in a
simultaneous fashion."

2. Make sure your people can go low-tech:"One of the things that was
interesting to me was as an individual that's been in health care for
40-plus years is we had the millennials … that new generation who are so
accustomed to using the computers, being a bit lost when the computers were
shut off," DeAtley said.

In this particular event, it took three weeks before much of what was
critical to the health system on a daily basis was back to operational. But
younger employees just don't have experience working on paper, he said.

"In that rehearsing moving forward, as we did in reality during the outage,
we'll have the old timers who were career-started on pen and paper going
and showing the new generation that, 'Yeah, you can continue providing
quality patient care. You can take what needs to be done with just pen and
pencil fashion,’ " he said.

There was one upside in going back to paper. Many workers said they
improved communication through face-to-face meetings rather than texts, a
practice MedStar intends to recapture going forward, DeAtley said.

But all that paperwork created during the outage had to be integrated into
the electronic records system. "It's one thing to look at how am I going to
re-enter information for two hours or maybe 24 to 48 hours. But going back
and looking at three weeks worth of data? You may find yourselves staggered
by the time that's going to be committed to do just that," he said.

3. Make sure your experts can explain the problem: When crisis hospitals
prepare for catastrophes such as plane crashes or pandemic illnesses, top
leaders typically understand what's happening.

But when it comes to the IT infrastructure? "There's a select few who
really know as much as need to be known," DeAtley said. "So the rest of us
find ourselves having to really trust more than what we might be used to or
asking questions we might not have thought about asking before now because
the impact the outage is not simply on paper. It's at the bedside."

It helps to have experts on hand who can effectively brief leaders on the
technical side of the problem and "explain the information in a somewhat
simplistic fashion in order for those decision makers to properly
prioritize," he said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160707/b92414f1/attachment.html>