About half of ransomware attacks have disrupted healthcare delivery in the largest hospitals and healthcare systems, according to a report. JAMA The study was published earlier this year.
But at small and mid-sized vendors, which typically have tighter security budgets and fewer recovery resources, such attacks can do more than just disrupt – and can upset routines for days or even weeks.
Two years ago, Virginia’s largest supplier of drugs and chiropractic, OrthoVirginia, was attacked with the Ryuk ransomware that gave access to workstations and imaging systems needed for the surgery to follow. schedules, data backed up, etc. are disabled.
Terri Ripley, chief information officer of OrthoVirginia, and Steve Cagle, CEO of Clearwater Security and Compliance, agreed to share their experience of recovering from an attack and talk about building OrthoVirginia’s cybersecurity strategies. beyond recovery.
Ripley, who has over 30 years of medical IT experience in implementing medical technologies – she currently designs, develops and supplies information systems for large orthopedic clinics – also has a Some important advice for vendors struggling with cyber risk perception in their organization.
“Implementing cyber hygiene measures can be challenging when perceived as slowing down care delivery or hindering,” says Ripley.
H. Early in the pandemic, OrthoVirginia experienced what you would call a “perfect storm” that made it possible for a network incident to penetrate a physician-owned clinic network. Can you please describe the discovery of the problem, the impact of the ransomware on reality, and what your team faced to fix the problem?
Ripley. Absolute. Our IT monitoring system identified a malicious implementation of ransomware on our local network on February 25, 2021. We were later told it was an attack. advanced Ryuk ransomware.
The issue affected our Windows servers, workstations, storage and network backups, but fortunately not our storage servers. [electronic health records]. When OrthoVirginia discovered the problem, it was able to stop the intrusion and prevent access to old data files and data images.
It was subsequently determined by our forensic investigators that malicious surveillance began on or before February 23.
One of the most important impacts on our practice is the encryption of [picture archiving and communication system], which houses all of our X-rays and is an important component of orthopedic surgery. The network security issue affected the application and database service for viewing images.
However, there is no forensic evidence that those images were accessed. And because we’ve only recently reopened our operating room after COVID, we’re in an important position to continue the surgeries we’ve scheduled for our patients.
We have a really small IT team and I have to say, I couldn’t be prouder of their response to the situation. They immediately shut down our servers to avoid further contamination.
I have reached out to our cyber insurance event response team and the FBI; all of which matter as we deploy responsive software, conduct forensic analysis, and continue to negotiate ransoms. I think it’s really important to note that we didn’t pay the ransom.
We spent the next 18 months recovering from the incident.
We’ve established access to the EHR from within the office via an isolated wireless network, and your own carry-on access is protected. We bought as many Chromebooks as we could and urged employees to bring their own devices and spend the next four months working on them as we rebuild virtual machines and recover data. whether the application is prioritized by the business unit.
We provided office hours to support access to the EHR and implemented a brand new PAC system within two weeks.
I’m pretty sure that never happened, but we put our patients first and this is essential to their care. We were really creative and used every resource we could think of, but in the end, we never had to shut down patient care, and that’s what matters most.
Q. What is the remedy and how has Clearwater helped OrthoVirginia comply with OCR?
Cagle. We partnered with OrthoVirginia after the initial troubleshooting. Terri [Ripley] knew they needed help building a stronger cybersecurity program, and after reviewing several potential vendors, they chose Clearwater.
Initially, Terri asked us to provide a virtual chief of security, but the more she talked, the more she realized she needed something more comprehensive and we created a translation program. service is managed for her.
While we were helping OrthoVirginia establish a cybersecurity roadmap, tabletop practices, and comprehensive risk analysis, they received an investigation letter and data request from [Office of Civil Rights] regarding an individual’s access to a patient’s image is temporarily unavailable due to a ransomware incident.
OCR’s investigation is comprehensive, as it focuses not only on the access request but also the ransomware incident. Terri feels confident that what happened at OrthoVirginia did not violate any of the HIPAA rules and did not constitute a violation. [electronic patient health information]and ask us to help respond to the inquiry letter.
Our team has extensive experience with OCR, so we helped Terri articulate the results of OrthoVirginia’s forensic investigation, the controls in place at the time of the incident, and the actions taken. done immediately after discovery, which allows them to respond successfully to OCR inquiry letters, initial data requests, and follow-up requests for additional information.
Q. Once the remediation plan is in place, what are your next steps to strengthen the practice’s attack surfaces from future incidents?
Ripley. That’s when we called Clearwater. I’m very proud of my small but mighty IT team, but it’s also a sign that we need some help building a stronger strategy.
It’s easy to read headlines about other incidents and think, “but not us.” We want to make sure that if something like this happens again, we can truly say we’ve prepared every defense to prevent it.
We sign up for Clearwater’s ClearAdvantage managed services plan for this reason. They helped establish a comprehensive program, including program management and leadership.
Since the crash, we’ve added a few key strategies, some smaller, like multi-factor authentication and digital identity badges, and some larger strategies, like such as cybersecurity program performance evaluation, rigorous risk analysis, technical testing, and executive desk practice. It’s all part of a larger strategy to help us do more with our small team.
Q. What recommendations do you have for suppliers who are having difficulty implementing recommended cyber hygiene practices?
Ripley. I think you have to start with a general understanding of why.
OrthoVirginia is a physician-owned organization, so implementing cyber hygiene measures can be challenging when it is thought that it slows the delivery of care or hinders it. If we can go back in time and understand what is at stake and how much of an impact a cyber incident is having on our organization, I think we will have a better consensus on how to make some changes. change this.
Cagle. I agree with Terri and I would add that effective communication with your management is critical to ensuring not only financial resources for cleaning operations, but also prioritization. .
You can do this in a variety of ways, from giving your CISO a spot on the next agenda to inviting your cyber insurance or cybersecurity partner to speak at a meeting. next council. We do this for our clients at Clearwater, because we know how important it is to communicate business goals and risks to a company’s equity value if the strategies are right. and best practices are not applied prior to the incident.
There is really no healthcare organization that cannot be targeted, small to large, public to private. It’s not important.
Q. How can vendors following frameworks stay ahead of the bad guys with new waves of attacks, like QR code mining, vishing, and smishing?
Cagle. Cybercriminals have become much more sophisticated in their strategies and techniques for attacking healthcare organizations. Leveraging frameworks and following cybersecurity best practices can help organizations successfully prevent these attacks.
Humans are the number one subject of cyber attacks and phishing/social engineering is the top threat. It’s important to train your workforce to trust nothing and nobody when it comes to the digital communications they receive, which now includes voicemail, text messages, and calls. phone. They need to learn to operate without a doubt, suspecting anything they can’t verify as legitimate, including QR codes.
It’s also important to test the effectiveness of that training with social engineering and periodic rogue exercises, where you’re sending a scam or simulated scam to see if/how many Your employees click or respond in a way they shouldn’t. This validates the effectiveness of your training and identifies any gaps that need to be filled.
Ripley. I will reiterate the importance of both this training and testing process. This is what I mean when I say it’s easy to think “not us.” We naturally trust the communications we receive, and attackers know it.
They are believing in our ability to outdo our workforce. This is how they get into the network undetected, giving them time to find a vulnerability and exploit it.
Teach your staff, doctors, board of directors, advisors, and anyone connected to your network to assume that email, text messages, voicemail, etc., are dangerous until verified according to Different ways. Double check the source if it contains links or requests for feedback.
It’s the really simple things that can protect your organization or make it an easy target.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
