Tales from the Cyber War Trenches
Evolving attacks do more than digital damage
By Brant Couch, CIC, CPA
“If we ever have to pay a ransom, I will cut my throat.”
– IT Director: who is still alive after hospital paid $750,000 ransom
Imagine how you would feel when, after going above and beyond to protect your hospital, your EHR system fails. Just imagine… it’s stopped dead, with no backup, and cyber criminals are demanding $1.6 million in exchange for an encryption key… a key that may, or may not, work.
Since I began writing about cyber security nearly a decade ago, the nature of cyber warfare has evolved. Then, the primary concern was data-breach prevention; stopping criminals from stealing patient records was job #1. Now, as cyber criminals continue to innovate, hospitals are increasingly concerned about cybercrimes that threaten their ability to conduct normal operations.
Malicious threats like zero-day malware, ransomware, spyware and scareware are on the rise. Older threats like phishing, unintended disclosure, and human error have not abated. Increasingly, when these threats become real, hospitals suffer from loss of critical operational data, business interruption, and ever-larger amounts of financial harm.
“They stole our holidays!”
That the executive team at Coryell Health in Gatesville Texas had to work through the 2019 Christmas holidays added insult to a very costly cyber war injury.
Speaking as a member of an online panel discussion I moderated during the TORCH Fall 2020 Conference, CEO David Byrom said, “It was a horrible event, it shut everything down: clinical documents, financial data, in patient, outpatient… we couldn’t send out bills.” He was describing a cyber-attack during which criminals found a flaw in their system and shut it down with malware.
“Our systems started failing on December 16th but it took three days to realize we were being attacked. It shut down access to our outside servers but, thankfully, our vendor managed to get EHR working again after one week.”
What would it be like for your hospital not to have EHR access for one week?
It gets worse. With the attack infecting 150 workstations, the only course of action was to shut everything down, and rebuild from the system’s backup. But, despite rigorous procedures and systems, Coryell’s backup was unavailable. The criminals asked for $1.6 million but David and his consulting team were able to negotiate that down to $750,000. “We had to pay the ransom, their encryption key was all we had to work with,” Byrom said.
“I was a little arrogant, because of what I thought we had in place to prevent this.”
Take a look at the integrity of your hospital’s cybersecurity.
Are you protected on all fronts? Are your preventative measures, including policies, procedures, technology, training, and education the best you can afford? Do you have a breach response strategy that includes some form of legal, forensics, notification, credit/identity monitoring and crisis management?
What about insurance? Do you have first party coverage for business interruption loss and dependent business loss incurred as a result of security breach/system failure? What about cyber extortion loss, data recovery costs, data and network liability, regulatory defense and penalties, payment card liabilities and costs, and media liability?
You bet it’s exhausting… but, that’s the nature of being in what is now a never-ending war.
“We had three ransomware attacks in the past that we recovered quickly from by deleting the virus and rebooting the server,” Byrom said. “But, this time, we had several failure points that brought us to our knees. The crux was we thought the backup was occurring but the backup was incomplete… our system showed it was there… but it wasn’t.”
David Byrom and his team have been staying ahead of the cyber security game through exceptional diligence and focus. You may think it was simply a stroke of bad luck that forced them to pay $750,000 for the encryption key to unlock their data. And, perhaps you are right. But, here’s another thought you may wish to consider: As cyber criminals continue to devise increasingly insidious ways to break into and wreak havoc in your business systems, are you content with the work you’ve done… or, perhaps you see that the work never ends?
People, people, people!
As cyber crooks continue to contrive ever-craftier deceptions, it is increasingly essential for every single person who has access to your hospital’s data, network, and literally any digital device, to be constantly on the lookout.
The need for cyber safety training, awareness, and rigorous diligence, is highlighted by a cyber battle waged against Hill Country Memorial Hospital in Fredericksburg, TX. Panelist and CEO Jayne Pope told the TORCH audience, “Our front door wasn’t wide open. Our first line of defense is our team and we had just done some intensive team education. Despite this, we fell into a trap.”
In response to a phishing email, a Hill country clinical director entered info into what she thought was a legitimate portal. It wasn’t. By logging in she was giving up her credentials including her password.
“We believe the criminals wanted patient records. We saw after review, that they were creating fake invoices,” Pope said. “We had bought insurance that year and this was the first test… the insurance was the only positive aspect of the incident.”
To cover any potential liability, and even though no patient records were stolen, Hill Country decided to follow a breach response protocol by providing full disclosure of the incident to patients.
>Wash, rinse, repeat
That incident occurred in 2017. In 2019, the cyber crooks came after Hill Country again. This time they gained access to the CFO’s email account and sent a bogus invoice to the hospital’s accounts payable clerk. Even though the invoice was fake, it was readily apparent, and, when the clerk looked up the legal firm, it was legitimate. The invoice was paid.
Emboldened, the crooks tried the scheme a second time, but this time the fake invoice was flagged.
“The lesson we learned is to always be one step ahead. We now conduct frequent cyber audits… one is currently ongoing,” Pope said. “We continue to dig deeper and deeper. We have pages and pages about what we are doing as a result”
Never go it alone when fighting back
These cyber war veterans, and other hospital CEOs like them, are not merely surviving. They are protecting and making real, the promise that technology can do its part to empower high-quality, sustainable healthcare in rural communities.
For its part, HealthSure has launched a new initiative we affectionately call CSI – short for Cyber Security Insurance.
It is a 360° approach, giving hospitals access to a comprehensive set of solutions created to protect them from the dangerous world of cyber risks.
CSI provides breach response services for up to five million persons along with coverage for payment card industry costs, regulatory defense and penalties, and first-party and crime coverage. All CSI policyholders have access to pre-breach and risk management services.
As you can tell from the cybercrimes described above, preparing for and preventing breaches have become inseparable from insuring a cyber loss. That’s why CSI gives hospitals access to dedicated services that focus exclusively on managing cyber incidents successfully. We know a cyber breach isn’t always a disaster. Mishandling it is.