Last week, Indiana-based Hancock Health suffered from a ransomware attack on the data it holds on its patients.
The organization posted a statement on its website on January 15th explaining what had happened: “At approximately 9:30 PM on Thursday, January 11, 2018, an attack on the information systems of Hancock Health was initiated by an as-yet unidentified criminal group. The attack used ransomware, a kind of computer malware that locks up computers until a ransom is paid, usually in the form of Bitcoin.”
Hospital officials told the Greenfield Daily Reporter that it had paid $55,000 to recover the approximately 1,400 patient files that the attacker encrypted. Files names were changed to “I’m sorry”. The hospital was told that it had seven days to pay the ransom, or the files would be permanently encrypted.
Steve Long, the CEO of Hancock Health, told the newspaper that an investigation launched following the attack confirmed that no personal patient information had been taken by the hackers. He also said that the affected files had been backed up, but that restoring them could have taken several weeks, and would have been a more costly process than paying the ransom. Long said that while deciding to pay the ransom was not an easy decision; from a business standpoint, paying it made sense. The hospital has cyberinsurance to provide coverage.
The hacker, thought to be operating out of Eastern Europe, requested four bitcoins, valued at around $55,000. Long said, “These folks have an interesting business model. They make it just easy enough (to pay the ransom),” he said. “They price it right.”
After they retrieved the bitcoin uploaded to the web, the hackers released the files and within a couple of days, the hospital computers were back up and running.
Hospital staff started to realize there was a problem when computers were running more slowly than usual on Thursday evening. Shortly afterwards, a message appeared on a hospital computer screen, stating that parts of its system would be encrypted until a ransom was paid. Weather conditions and flu season made it even more pressing than usual that the hospital return to normal conditions, Long said.
The CEO also mentioned a recent episode of the hospital drama “Grey’s Anatomy” in which a similar scenario led to malfunctioning equipment that put patients’ lives at risk. In the show, the hackers demanded $20 million.
“That’s a TV show – that is not real life”, Long said; adding that no equipment used to treat or diagnose patients was affected and most patients likely didn’t notice that there was a problem. Medical staff turned to pen and paper to note patients’ medical reports, and hospital officers said the hospital regularly practices such procedures to stay on top of them.
Investigators found that the hacker had entered the hospital’s network by using its remote-access portal, logging in with an outside vendor’s username and password. Since then, employees have been asked to change their passwords and the IT department has implemented software, which detects patterns that help to indicate if a similar attack is about to occur, before hackers gain entry.
Hancock Health brought on board Pondurance LLC, an Indianapolis-based cybersecurity firm that specializes in threat management. A spokesperson for the FBI’s Indianapolis field office, declined to comment. The FBI has a general statement on its website stating that the agency “does not support paying a ransom to the adversary”. However, it is up to the individual company to make a final decision on whether to pay or not.
Long says he knows there’s no way to fully protect against such a cyberattack occurring again. If hackers gain access to an authorized username and password, there’s little companies can do to prevent such intrusions.
“Do I think it can happen again? Long said to the Greenfield Reporter. “Sure I do. It can happen to anyone.”