Three Lessons From a Hospital Under Ransomware Siege
By Saad Gul and Michael E. Slipsky
Missouri’s Cass Regional Medical Center (CRMC) was recently hit with a ransomware attack. Existing patients continued to receive care, but incoming trauma and stroke patients were diverted to other facilities. The hospital was forced to shut down its electronic health record (EHR) systems.
The hospital stated that patient information had not been compromised during the episode. It explained that it had had an incident response protocol in place prior to the incident, and activated it within minutes of the attack. Mysteriously, the mechanism of the attack remains unknown. CRMC brought in a cyber forensics firm and contacted law enforcement to assist with the recovery process.
The incident is a vivid reminder that ransomware threats remain a persistent threat in the healthcare sector. Electronic health records are both vulnerable and valuable, which make them the ideal target of opportunity.
However, in minimizing the damage for what could have been a catastrophic incident, it reinforces the value of cybersecurity fundamentals such as:
· Having an incident response plan in place. The existence of the plan enabled the hospital to transition seamlessly from routine operations to crisis footing, enabling medical staff to focus on health care, while leaving management and technical personnel to address the ransomware issue.
· Prompt Action. CRMC’s decision to shut down the electronic health record system averted regulatory disaster. Unauthorized access to patient data constitutes a HIPAA breach. The hospital’s prompt action in shutting down the EHR system not only prevented an egregious leak of highly sensitive data, but staved off possible OCR action.
· Recovery Timeframe: notwithstanding the textbook response, forensic and protection efforts necessitated the gradual resumption of computer operations. The lesson is evident: even the best plans, well executed, may entail the loss of functionality for a time. The availability of manual backups, or alternative mechanisms, is therefore indispensable.
The CRMC episode illustrates that ransomware continues to pose a significant threat to health care institutions. Their vulnerability is compounded by the extensive use of electronic data systems in the healthcare sector. But it also demonstrates that instituting basic breach-response procedures significantly ameliorate the effects of an attack. With ransomware, an ounce of prevention is worth a pound of cure.
Saad Gul and Mike Slipsky, editors of NC Privacy Law Blog, are partners with Poyner Spruill LLP. They advise clients on a wide range of privacy, data security, and cyber liability issues, including risk management plans, regulatory compliance, cloud computing implications, and breach obligations. Saad (@NC_Cyberlaw) may be reached at 919.783.1170 or firstname.lastname@example.org. Mike may be reached at 919.783.2851 or email@example.com.