Ransomware attacks might not be as frequent as in previous years. However, they still are a common attack vector in 2019. Recently, a Michigan medical practice was completely compromised due to a ransomware attack that not only locked the medical practice out of accessing patient health information as well as scheduling and billing information. The ransomware attack prevented access into all the computer systems within the practice unless payment was submitted to the attackers.
The ransom demanded a payment of $6,500 or roughly ₿1.27 bitcoin. The owners of the medical practice decided to simply close their business instead of following through with any payment. Since the practice refused payment, the attackers deleted all the files on their computer systems.
The attackers were able to successfully attach ransomware onto their victim's computer systems. It is currently unknown what other types of access they had or continue to have. The attackers were able to successfully encrypt patient information, which means they may have also transferred the data offsite for a potential sale on the black-market. The attackers didn’t get ransom money from the victim, but they may be able to obtain compensation for their efforts in other ways.
If the medical practice had appropriate backup and recovery procedures in place for their computer systems and patient information, they likely wouldn’t be shutting down the practice. Secure backups alone won’t prevent the practice from receiving legal and HIPAA penalty fees, since patient information was breached and disclosed to unauthorized individuals. However, it would certainly have ensured that critical health information about patients was not lost forever.
Ensuring that routine backups occur on a regular basis is important, but it is just as important to make sure that the backed-up data is not also easily accessible from the practice’s network. Critical information such as backups should not be accessible from the source in which the data was backed up from. Yes, having a local copy is convenient and would allow you to restore a system in a short amount of time, but data that is backed up should be segmented off the network and a copy should also reside securely off-site in case a ransomware infection attempts to spread. A practice may have backups, but these would be useless if the ransomware was able to spread to the systems that were storing and maintaining them.
Conducting a thorough security risk analysis can identify risk exposures such as this, which is the first step in improving security. Mitigating risks identified in a security risk analysis can help prevent medical practices from suffering catastrophic losses related to an attack.