Ransomware attacks might not be as frequent as in previous years. However, they still are a common attack vector in 2019. Recently, a Michigan medical practice was completely compromised due to a ransomware attack that not only locked the medical practice out of accessing patient health information and scheduling and billing information. The ransomware attackers also prevented access to all the computer systems within the practice unless payment was submitted to them.
The ransom demanded a payment of $6,500 or roughly ₿1.27 bitcoin. The owners of the medical practice decided to simply close their business instead of following through with any payment. Since the practice refused payment, the attackers deleted all the files on their computer systems.
The attackers were able to successfully attach ransomware onto their victim's computer systems. It is currently unknown what other types of access they had or continue to have. The attackers were able to successfully encrypt patient information, which means they may have also transferred the data offsite for a potential sale on the black-market. The attackers didn’t get ransom money from the victim, but they may still be able to obtain compensation for their efforts in other ways.
If the medical practice had appropriate backup and recovery procedures in place for their computer systems and patient information, they likely wouldn’t be shutting down. Secure backups alone would not have prevented the practice from receiving fines and HIPAA penalty fees, since patient information was breached and disclosed to unauthorized individuals. However, it would certainly have ensured that critical health information about patients was not lost or compromised.
Ensuring that routine backups occur on a regular basis is important, but it is just as important to make sure that outsiders cannot easily access data backups from the practice’s network. Yes, having a local copy is convenient and would allow you to restore a system in a short amount of time, but data that is backed up should be segmented off the network. Data backups should also reside securely off-site in case a ransomware infection attempts to spread; they would be useless if the ransomware was able to spread to the systems that were storing them.
Conducting a thorough security risk analysis is an important first step in improving security, and it can identify risk exposures such as this. Mitigating risks identified in a security risk analysis can help prevent medical practices from suffering catastrophic losses related to a ransomware or other cyberattack.