[BreachExchange] 'Lock it down and piss people off': How quick thinking stopped a ransomware attack from crippling a Florida hospital

[Terrell Byrd]

https://www.cnn.com/2022/01/16/politics/florida-hospital-ransomware/index.html


It was approaching midnight on Sunday and the head of IT at a Florida
hospital had a problem.

The emergency room of Jackson Hospital, a 100-bed facility on Florida's
panhandle, called to report that it couldn't connect to the charting system
that doctors use to look up patients' medical histories. Jamie Hussey,
Jackson Hospital's IT director, soon realized that the charting software,
which was maintained by an outside vendor, was infected with ransomware and
that he didn't have much time to keep the computer virus from spreading.

The hospital shut down its computer systems on his advice.

"If we hadn't stopped it, it probably would've spread out through the
entire hospital," Hussey said. Hospital staff ditched the electronic
records and reverted to pen and paper to keep the hospital running and
organized, he said, but patient care wasn't disrupted.

As Hussey spoke to CNN Tuesday, the hospital's IT systems were gradually
coming online, and he was expecting phone calls from the FBI (which
investigates hacking incidents) and Aon, a cybersecurity consultancy that
Hussey said was supporting the recovery. He was trying to figure out if the
hackers had stolen any hospital data, and if they might need to be paid off
to get it back.

The damage could've been far worse.

Jackson Hospital is just one of several dozen health care organizations
across the US that have had to battle ransomware attacks since the
coronavirus pandemic began. The disruptions have cost the sector millions
of dollars and prompted urgent calls to hospitals from federal officials to
be wary of cybercriminal groups.

One suspected ransomware attack in October 2020 forced the University of
Vermont to delay chemotherapy appointments, while another in August 2021
prompted the emergency room at Memorial Health System in Ohio to divert
patients to other facilities.

In the early minutes and hours of a ransomware attack, hospital
cybersecurity teams are on the front lines of the response; help from
federal agencies like the FBI might come later.

Yet hospitals don't often publicly discuss how quick thinking and
preemptive action can be the difference between containing a hack and
having it spiral out of control. For Hussey, it has meant minimal sleep
since Sunday, and the weight of a 600-person staff at Jackson depending on
his IT team of about a dozen to get hospital computers up and running again.

"The new guy I just hired is a cybersecurity graduate, so we broke him in
really early," he quipped.

A gradual recovery
Though Hussey's team acted quickly, Jackson Hospital's IT systems haven't
come away completely unscathed.

The emergency room's charting system could be offline for the rest of the
week, he said. (Doctors have been getting ER patient records from other
parts of the hospital network).

The entire hospital had to temporarily switch to what medical professionals
call "downtime procedures" — contingency plans after Hussey's team shut
computers down. For several hours, things like physician notes and
prescriptions for patients were processed by hand.
The attackers also encrypted a computer server that Jackson Hospital uses
to store non-critical organizational documents. Hussey was trying to figure
out if there was anything in those files that contained data on Jackson
patients and, if so, if the hospital should pay a ransom to get them back
(he said he wasn't aware of any ransom demand from the hackers).

The ransomware that Hussey's team found on the charting system is known as
Mespinoza and has racked up 190 victim organizations worldwide across
various industries, including several in health care, according to a
Department of Health and Human Services advisory on the group last week.

The hacking group is just one of several that haven't refrained from
hitting health care organizations during the pandemic. A study last year by
the US Cybersecurity and Infrastructure Security Agency found that
ransomware attacks can "lead to significant and sustained" strain on
hospitals already reeling from a flood of coronavirus patients.

Allan Liska, senior threat intelligence at cybersecurity firm Recorded
Future, said there were 134 publicly reported ransomware incidents
involving health care organizations in 2021, up from his 2020 tally of 106
incidents.

But many ransomware attacks don't make the news.

"I've worked with a number of healthcare providers recently that have
managed to stop a ransomware attack during the reconnaissance stage," Liska
told CNN. "Sharing this information helps other organizations better
understand what they should be looking for and developing better strategies
for stopping ransomware."

'Lock it down and piss people off'
The recovery process at Jackson Hospital has been meticulous to ensure that
malicious code isn't lingering in some neglected part of the network.

Hussey's team went down the list of computer systems across the hospital,
starting with the most critical, and made sure they weren't infected with
ransomware. They physically disconnected the hospital's electronic health
records system from the rest of the computer network to check them for
malicious code before reconnecting to the system.

By Wednesday, hospital computers were back online except for the charting
systems used by the ER.

Hussey said the decision to shut computer networks down may not be popular
with some hospital staff, "but it's better to be down a day than be down a
month."

"Lock it down and piss people off," Hussey, who has worked at Jackson for
over 25 years, said in a Southern drawl. "It's what you have to do just to
secure your network."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220118/8a0cc032/attachment.html>