Business continuity/disaster recovery management, endpoint security, fraud management and cybercrime
What steps can other entities take to ease post-attack restoration pain?
Marianne Kolbasuk McGee (HealthInfoSec) •
February 7, 2022
Most phone lines, email and other computer systems appear to remain down at a Kentucky hospital that suffered a cyberattack more than three weeks ago. Meanwhile, the Maryland Department of Health continues to work to fully restore IT services still impacted more than two months after a ransomware attack in December.
These are among the latest reminders of the length and difficulty of recovery when a healthcare or public health sector entity is hit by ransomware or other disruptive cyberattacks.
Attack on Taylor Regional Hospital
As of Monday, Taylor Regional Hospital, a 90-bed facility based in Campbellsville, Ky., was still operating with only about two dozen temporary phone lines that were put into service while the entity continues to investigate. and to recover from an initially publicly disclosed cyberattack. on his Facebook page on January 19.
An “urgent warning” still posted on the hospital’s website on Monday says all phone lines to the hospital and to hospital-owned providers are down. The website message also states that some patient services are only available on a limited basis and that people need to bring paper documents to various appointments.
For example, the notice states that routine outpatient laboratory testing will only be performed daily during a six-hour window in the morning and early afternoon and that all patients should bring a “WRITTEN” order.
COVID-19 testing is also significantly affected. “Due to the system-wide outage, we are unable to schedule COVID testing as previously advised; we are still testing at the walk-in clinic between 10:00 a.m. and 12:00 p.m. on a first-come, first-served basis. .-served,” the review reads.
“We appreciate your patience as we work to return to normal operations.”
Taylor Regional Hospital did not immediately respond to Information Security Media Group’s request for comment.
Maryland Department of Health incident
Meanwhile, approximately 5,000 replacement computers, including 4,000 laptops, were deployed to Maryland Department of Health workers who had been instructed not to use their MDH-issued computers due to the risk of possible malware infections following a cyberattack that occurred on December 4.
Last month, state officials confirmed that the attack involved ransomware.
In a statement to ISMG, an MDH spokesperson said, “In general, where possible, affected MDH computers are cleaned for redeployment. However, some computers that are nearing the end of their expected life are replaced. As always, the security of state systems remains a top priority.”
In a Jan. 28 update the health department shared with the ISMG, department heads told staff that incident containment and investigation efforts were progressing as the department continued to restore systems. securely online.
“At the same time, we know that the incident and our response have been disruptive,” the letter said. “Many core functions of the Department have not been affected and many services have already been restored, but the impacts on our staff, administrations and partners are still widely felt.”
A notice posted Monday on the Department of Health’s website reads: ‘To prevent further harm, we continue to be methodical and deliberate in restoring network systems while prioritizing the function of human health and safety. We remain actively engaged with state and federal law enforcement partners in an ongoing criminal investigation.”
Unfortunately, the ongoing restoration struggles at the Kentucky Hospital and the Maryland Department of Health following the cyberattacks are not unusual for entities in the healthcare and public health sector.
Last May, a ransomware attack disrupted computer systems and patient care at San Diego, Calif.-based Scripps Health for nearly a month, costing the organization nearly $113 million, including $91.6 million in lost revenue, according to a financial report from the nonprofit entity.
The healthcare organization is also facing civil class action lawsuits from patients who claim their care was delayed and their data was compromised by the incident (see: Lawsuits: Patients ‘damaged’ by Scripps Health cyberattack).
HSE attack in Ireland
And US-based healthcare entities aren’t the only ones that have struggled to recover quickly from ransomware or other cyber incidents.
For example, it took the Irish Health Services Executive about four months to fully recover from a Conti ransomware attack last May that shut down all of its IT systems nationwide, the US Department of Health said. Health and Human Services in a report released Friday to the US Health and Public Health Sector.
The HHS document is based on a 157-page report published last December by PricewaterhouseCoopers, which had been commissioned by the HSE to analyze the incident (see: Report Dissects Conti Ransomware Attack on Irish HSE).
The HSE is Ireland’s publicly funded healthcare system under the Irish Department of Health, made up of 54 public hospitals directly under the HSE and voluntary hospitals that use the national IT infrastructure, according to the HHS.
The incident is the largest cyberattack against an Irish public agency to date and is also the largest known attack against a health service IT system in history, HHS said.
About 80% of HSE’s computing environment was encrypted by Conti ransomware during the incident, according to HHS. “The impact of the ransomware attack on communications was severe, as the HSE was almost exclusively used on on-premises email systems – including Exchange – which were encrypted, and therefore unavailable, during the attack,” explains the HHS.
The HSE took steps to contain the ransomware attack by shutting down systems and disconnecting the wider National Health Network from the internet, HHS said.
But according to the agency, the incident resulted in the exfiltration of 700 gigabytes of unencrypted HSE data, including patient health information.
lessons to learn
Some experts say the severe challenges many healthcare entities face in defending against ransomware and other cyber incidents, and then recovering, should serve as a wake-up call to other organizations.
“The biggest lesson and lesson to be learned from these really impactful attacks is the lack of internal controls and restrictions to impede access once a system is compromised,” says William Gadzinski, senior consultant in response to incidents at the security consulting firm Pondurance.
IT security practitioners are comfortable with the concept of defense in depth when planning for incident prevention, says Gadzinski, but often they don’t consider or implement controls that would maintain a incident contained to a manageable extent.
“Assessing one’s security posture from the perspective of a suspected system compromise can often reveal gaps in protection or blind spots in detection methods that allow an attacker to increase their access and thus cause serious harm. damage,” he said.
Gadzinski says that before deploying ransomware, an attacker can remain in an environment for a long time, deploying backdoors and persistence that would be included in any backups made – and rendering those backups useless.
“While an organization may have mechanisms to identify unauthorized access or breaches, these mechanisms are only useful if they are regularly monitored,” he says.
“IT management must ensure that backup retention schedules appropriately match scheduled log reviews and detection times, ensuring that a system will not overwrite its last ‘good’ backup before an access unauthorized cannot be identified.”
Keep communication intact
Gadzinski says entities can also take steps to prevent situations like the one that occurred during the Taylor Regional Hospital attack, in which phone and email communications were severely affected.
“Isolating a VoIP network from a corporate domain, both through network controls and authentication groups, can help maintain communications in the event of a domain-affecting incident,” he says.
“If federated authentication is required, isolating the network and setting up separate accounts for the administration of each network can help reduce the impact of an attack involving the compromise of the administrator account.”
Gadzinski also points out that while email cannot be separated from authentication and endpoint infrastructure, having a plan to quickly deploy and maintain email and out-of-band communications is essential for rapid response. and resume activities.
Attorney Peter Halprin of law firm Pasich LLP, which works closely with cyber insurers, says preventative measures are essential to ward off the severe impact of some potential ransomware incidents.
He says cyber hygiene, patching systems, updating old systems, and a strong, well-tested incident response plan are all key to preventing attacks.