After a ransomware attack in April 2017 took down 6,000 computers, ECMC set about the grueling process of getting the hospital's systems and services back online. More than three months later, officials estimate the total cost of recovery has reached nearly $10 million.
It started in the early hours of Sunday, April 9th. It was 2am, a time when most organizations' offices sit silent and dark. That was far from the case at Erie County Medical Center, a 602-bed hospital in Buffalo, NY, however. As the region's Level 1 trauma center, the emergency room in particular would have been a whirlwind, packed with patients and staff treating anything from car crashes to major burns to gunshot wounds and the other types of extreme injuries that keep the department operating over-capacity an average of 12 hours a day.
In the midst of all that activity, it may have taken a few moments for staff to register the fact that strange message windows had silently popped up on computer screens all across the hospital. One second they weren't there, and it was just another hectic overnight weekend shift. The next, there they were — ransom notes announcing the hospital's files had been encrypted, and the only way to unlock them was to pay 24 Bitcoins, roughly $30,000.
SamSam ransom screen that appeared on ECMC computers. Source: Buffalo News
An hour and a half later, the medical center's IT team made the decision to shut all computer systems down. From that point forward — for a period lasting more than six weeks — ECMC would be forced to meet all the modern-day demands of a major urban hospital by relying on low-tech, manual processes, some of which hadn't been used in 20 years.
Much more than simply encrypting files on ECMC's computers, what the attack had effectively done was blast the entire hospital back into the past.
Taking into account advice from law enforcement authorities and security experts, ECMC management determined not to pay the ransom. In addition to not trusting the attackers to actually hand over the decryption keys (or trusting the decryption process to actually work), the hospital decided the only way to maintain the integrity of its systems and ensure the attackers hadn't made any additional malicious changes was to wipe all the potentially affected machines and restore each from from backups conducted before the initial compromise occurred.
As ECMC's IT staff worked with external specialists around-the-clock to carry out that task and get the hospital's computer system back up and running, the rest of the staff grappled with the challenges of conducting their work offline.
Veteran staff were able to draw on their prior experience with the manual processes to ease the transition — some doctors even brought in unused paper prescription pads to use — but for younger staff who had only worked with digital systems, the sudden shift was especially disruptive.
Practically everything that needed to be done took more time. And for a hospital specializing in urgent care and trauma, more time is the one thing no one ever has.
In July, three months after the attack, ECMC estimated the total costs associated with the incident had reached nearly $10 million.
According to ECMC officials, roughly $5 million had been spent on "computer hardware, software, and assistance needed in the response." The medical center estimated business losses and increased expenses such as overtime pay added up to an additional $5 million in damages.
The good news for ECMC is the hospital may be able to recover nearly all of those losses thanks to an incredibly well-timed decision to increase its insurance coverage from $2 million to $10 million just five months prior to the attack.
That $10 million aside, however, ECMC officials also estimate the medical center will spend an additional $250,000 - $400,000 a month on upgraded technology and employee education to reduce the risk and impact of cyber attacks moving forward.
While the hospital believes it can offset those costs by cutting back spending in other areas the fact remains the financial impact of the attack will continue to be felt for months to come.
It's no secret healthcare is one of the most at-risk industries for ransomware attacks. In a June 2017 memo, the U.S. Department of Homeland Security categorized the sector as both "frequently targeted" and "highly vulnerable," and earlier in the year experts warned healthcare providers that they could expect attacks to double.
With the risk of ransomware infections continuing to rise and the potential fallout from attacks becoming more and more severe, what lessons can other healthcare providers learn from ECMC's weeks-long ordeal?
It's good that ECMC is investing in employee education to help their staff become more aware of ransomware, but the truth is the biggest uptick in successful ransomware attacks against hospitals isn't tied to users downloading malicious email attachments or visiting compromised websites — it's attributed to attackers breaking into networks via RDP (you can read about three more RDP attacks against hospitals here).
As was the case with the ECMC infection, all attackers have to do is scan the Internet for systems with port 3389 exposed and then launch a brute-force attack to crack weak or default passwords to gain access and execution.
The groups behind CrySiS, SamSam, Shade, Apocalypse, and other ransomware are all using RDP as an attack vector. From Q4 to January 2017, RDP attacks spreading CrySiS alone doubled.
That makes scanning hospital networks to determine whether any machines have port 3389 open a top priority. Tools like Nmap can make that process easy, and organizations should keep in mind attackers have access to these types of tools, as well. Here’s a tutorial from DigitalOcean that walks you through how to test your firewall configuration and see what your network looks like to an attacker.
Attacks like this one and WannaCry's infection of the UK's National Health Service (NHS) in May are potent examples of just how damaging and disruptive ransomware can be once it's set loose inside a hospital network.
It's clear that, when it comes to ransomware, detecting and responding to attacks after the fact is no longer enough. Organizations need to prioritize preventing infections at the outset, before they have a chance to do damage. In addition to securing port 3389 (RDP) and port 445 (SMB), that also means supplementing standard antivirus solutions with newer forms of protection on the endpoint.
To find how Barkly goes beyond antivirus to keep companies protected against the latest ransomware attacks, learn more about how our endpoint protection works.
When ransomware infections happen, there isn't much time to react. And in a setting like a hospital emergency room, there's certainly no option to hit pause while you assess the situation and come up with a plan.
"One of the key things that got us through this is we have a plan in place and we practiced," said Dr. Jennifer Pugh, associate chief of service for emergency medicine.
When ECMC's IT staff was alerted to the infection and made the call to shut down the hospital's computer systems, they knew that decision would have massive ripple effects on operations throughout the hospital. But they also knew there was a plan in place for keeping critical services up and running during major disasters and power outages. The plan was documented and hospital staff had been trained on it.
That disaster preparedness played a key role in ensuring the disruption caused by the attack wasn't even worse. Now, the hospital has the incredibly unfortunate but also incredibly valuble experience of having that plan play out in real life, and it can make adjustments to ensure it's even better prepared moving forward.
The key for other providers is to make sure they also have a practiced plan in place before they need it.
A key factor that enabled ECMC's decision not to pay the ransom was the fact the hospital had access to backups that hadn't been encrypted or corrupted during the infection. Having those backups didn't prevent the downtime or disruption caused by the attack, but they did ensure complete recovery would eventually be possible.
According to ECMC officials, no patient data was compromised as a result of the infection, and in that regard the hospital can consider itself extremely lucky.
In July 2016, the HHS Office for Civil Rights issued a statement that ransomware attacks constitute breaches subject to the HIPAA Breach Notification Rule, specifically because when electronic PHI is encrypted that means the information "was acquired (i.e., unauthorized individuals have taken possession or control of the information)."
It took months for this view to be adopted and enforced, but beginning in Q1 2017 there has been an influx of providers falling in line and reporting ransomware attacks as data breaches.
The reason that's such a huge development is that it changes the way healthcare providers need to think about the damage and harm ransomware causes. It's no longer simply the risk of files becoming encrypted and inaccessible they need to worry about — though as this attack shows that can certainly cause widespread disruption — it's the risk of data exfiltration.
In the eyes of regulators, if providers suffer a ransomware infection, it's assumed that patient data has been compromised unless the provider can specifically prove otherwise. That burden of proof makes ransomware a threat that can't be swept under the rug with backups. All the more reason for providers to make blocking ransomware attacks (not just responding to them) a top priority.
Get the latest security news, tips, and trends straight to your inbox.
Get the latest security news, tips, and trends straight to your inbox.