Latest Ransomware Attacks Show Diversity of VictimsWhat Do They Have in Common? Difficult Recovery
A ransomware attack against a chain of veterinary medicine clinics plus an attack against a New York hospital show this threat remains pervasive, victims are diverse and recovery is difficult.
The two recently revealed victims are National Veterinary Associates, a California-based company that operates about 700 clinics worldwide, and The Brooklyn Hospital Center, a 464-bed New York hospital and network of family health centers and medical practices.
No matter what type of business is targeted for ransomware, "the technical and administrative steps to prevent, detect and recover from a ransomware attack would be very similar," says Tom Walsh, president of consulting firm tw-Security. "The exception - in healthcare, organizations have to automatically assume that ransomware is also a reportable breach [under HIPAA]."
That breach reporting requirement, Walsh says, "greatly impacts the efforts needed for analysis, containment, eradication and recovery. For example, other industries could restore a server from bare metal and blow away the logs. In healthcare, all of the log data needs to be preserved for forensic analysis to determine if there was unauthorized access to protected health information."
Clyde Hewitt, executive adviser at security consulting firm CynergisTek, notes: "All organizations, and not just healthcare providers, should develop a cyber resilience plan to prepare them for an eventual large, long-term outage."
NVA, which is still recovering from the attack, discovered the ransomware on the morning of Oct. 27 and then hired security firms to investigate and remediate the incident, according to the KrebsOnSecurity news blog.
The October attack was the second time this year that NVA was hit with the ransomware strain Ryuk, with the first attack occurring in the summer, a source close to the investigation told KrebsOnSecurity. While the latest attack, which apparently affected about 400 locations, did not prevent NVA from providing services, it did impact access to treatment records and online appointment bookings, according to the blog.
Because each NVA location runs its own IT operations, not all locations were affected by the attack, according to KrebsOnSecurity.
NVA did not immediately respond to an Information Security Media Group request for comment. But Laura Koester, NVA's chief marketing officer, told the blog: "It was ransomware, but we've been referring to it as a malware incident."
Containing the Spread of Malware
As for NVA reportedly saying that some of its locations were not impacted by the ransomware attack because each runs its own IT, there are pros and cons to this approach, Walsh notes.
While the isolation might keep the malicious code from spreading to other NVA facilities, "each hospital probably has a small IT staff doing their own thing with no economies of scale - which is one of the advantages of being part of a larger organization."
Hewitt says NVA's federated IT model "won't work with most organizations because of the overhead cost of staffing and supporting many different IT departments."
The best approach to limiting the damage from any malware attack, Hewitt says, is to use micro-network segmentation. "Healthcare specifically can isolate medical devices, supply chain, financial records and even facilities down to smaller units - all of which can help contain ransomware and malware attacks."
Brooklyn Hospital Center Attack
In the other recently reported apparent ransomware attack, The Brooklyn Hospital Center, in a statement recently posted on its website, describes a July attack as involving malware that encrypted certain systems and "disrupted the operation of certain hospital systems."
Although the statement refers to an attack involving encryption, it does not use the term "ransomware." The Brooklyn Hospital Center did not immediately respond to an ISMG request for more details.
The organization reported the attack to the Department of Health and Human Services on Nov. 1 as a hacking/IT incident involving a network server and affecting more than 26,300 individuals, according to HHS' HIPAA Breach Reporting Tool website.
The New York hospital says in its statement that an investigation into its incident confirmed in September that due to the malware, and despite exhaustive efforts by the hospital to recover the data, certain patient data was unrecoverable, including patient names and certain dental or cardiac images.
"While our recovery efforts are ongoing, based on this determination, we are undertaking a diligent review of the patient data that may be potentially impacted by this event and taking steps to notify those individuals whose records may no longer be available. To date, we are unaware of any actual or attempted access to or misuse of medical or personal information," the statement says.
Lessons to Learn
The Brooklyn Hospital Center's admission that certain patient data is unrecoverable is indicative of an apparently incomplete backup strategy, Hewitt says.
"The root cause may lie in an immature business impact analysis or asset inventory," he says. "We should remind ourselves that not only is it important to backup data, but also the server and systems configurations, interface engines and other critical systems. The second root cause may be that those backups were not protected, either off-line, or in restricted devices."
But even when an entity recovers from a cyberattack, there's no guarantee that all data and systems will be completely restored, other experts note.
"Unfortunately, with certain types of malicious code, there will likely be a loss of data," Walsh says. "The challenge is finding the right balance of acceptable data loss versus recovery costs. This is what we typically refer to as the recovery point objective," he notes.
"To reduce the RPO, many organizations have implemented data backup strategies where data is replicated in near real time. However, in the case of ransomware ... the backups could be corrupted at almost the same time as the primary data storage. There needs to be some isolation of backups - an 'air gap' to protect their integrity from malicious code."