Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management

Latest Ransomware Attacks Show Diversity of Victims

What Do They Have in Common? Difficult Recovery
Latest Ransomware Attacks Show Diversity of Victims

A ransomware attack against a chain of veterinary medicine clinics plus an attack against a New York hospital show this threat remains pervasive, victims are diverse and recovery is difficult.

See Also: OnDemand | Defining a Detection & Response Strategy

The two recently revealed victims are National Veterinary Associates, a California-based company that operates about 700 clinics worldwide, and The Brooklyn Hospital Center, a 464-bed New York hospital and network of family health centers and medical practices.

No matter what type of business is targeted for ransomware, “the technical and administrative steps to prevent, detect and recover from a ransomware attack would be very similar,” says Tom Walsh, president of consulting firm tw-Security. “The exception – in healthcare, organizations have to automatically assume that ransomware is also a reportable breach [under HIPAA].”

That breach reporting requirement, Walsh says, “greatly impacts the efforts needed for analysis, containment, eradication and recovery. For example, other industries could restore a server from bare metal and blow away the logs. In healthcare, all of the log data needs to be preserved for forensic analysis to determine if there was unauthorized access to protected health information.”

Clyde Hewitt, executive adviser at security consulting firm CynergisTek, notes: “All organizations, and not just healthcare providers, should develop a cyber resilience plan to prepare them for an eventual large, long-term outage.”

NVA Incident

NVA, which is still recovering from the attack, discovered the ransomware on the morning of Oct. 27 and then hired security firms to investigate and remediate the incident, according to the KrebsOnSecurity news blog.

The October attack was the second time this year that NVA was hit with the ransomware strain Ryuk, with the first attack occurring in the summer, a source close to the investigation told KrebsOnSecurity. While the latest attack, which apparently affected about 400 locations, did not prevent NVA from providing services, it did impact access to treatment records and online appointment bookings, according to the blog.

Because each NVA location runs its own IT operations, not all locations were affected by the attack, according to KrebsOnSecurity.

NVA did not immediately respond to an Information Security Media Group request for comment. But Laura Koester, NVA’s chief marketing officer, told the blog: “It was ransomware, but we’ve been referring to it as a malware incident.”

Containing the Spread of Malware

As for NVA reportedly saying that some of its locations were not impacted by the ransomware attack because each runs its own IT, there are pros and cons to this approach, Walsh notes.

While the isolation might keep the malicious code from spreading to other NVA facilities, “each hospital probably has a small IT staff doing their own thing with no economies of scale – which is one of the advantages of being part of a larger organization.”

Hewitt says NVA’s federated IT model “won’t work with most organizations because of the overhead cost of staffing and supporting many different IT departments.”

The best approach to limiting the damage from any malware attack, Hewitt says, is to use micro-network segmentation. “Healthcare specifically can isolate medical devices, supply chain, financial records and even facilities down to smaller units – all of which can help contain ransomware and malware attacks.”

Brooklyn Hospital Center Attack

In the other recently reported apparent ransomware attack, The Brooklyn Hospital Center, in a statement recently posted on its website, describes a July attack as involving malware that encrypted certain systems and “disrupted the operation of certain hospital systems.”

Although the statement refers to an attack involving encryption, it does not use the term “ransomware.” The Brooklyn Hospital Center did not immediately respond to an ISMG request for more details.

The organization reported the attack to the Department of Health and Human Services on Nov. 1 as a hacking/IT incident involving a network server and affecting more than 26,300 individuals, according to HHS’ HIPAA Breach Reporting Tool website.

The New York hospital says in its statement that an investigation into its incident confirmed in September that due to the malware, and despite exhaustive efforts by the hospital to recover the data, certain patient data was unrecoverable, including patient names and certain dental or cardiac images.

”While our recovery efforts are ongoing, based on this determination, we are undertaking a diligent review of the patient data that may be potentially impacted by this event and taking steps to notify those individuals whose records may no longer be available. To date, we are unaware of any actual or attempted access to or misuse of medical or personal information,” the statement says.

Lessons to Learn

The Brooklyn Hospital Center’s admission that certain patient data is unrecoverable is indicative of an apparently incomplete backup strategy, Hewitt says.

“The root cause may lie in an immature business impact analysis or asset inventory," he says. "We should remind ourselves that not only is it important to backup data, but also the server and systems configurations, interface engines and other critical systems. The second root cause may be that those backups were not protected, either off-line, or in restricted devices.”

But even when an entity recovers from a cyberattack, there’s no guarantee that all data and systems will be completely restored, other experts note.

”Unfortunately, with certain types of malicious code, there will likely be a loss of data,” Walsh says. “The challenge is finding the right balance of acceptable data loss versus recovery costs. This is what we typically refer to as the recovery point objective,” he notes.

“To reduce the RPO, many organizations have implemented data backup strategies where data is replicated in near real time. However, in the case of ransomware … the backups could be corrupted at almost the same time as the primary data storage. There needs to be some isolation of backups – an ‘air gap’ to protect their integrity from malicious code.”

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.