When a patient care organization falls victim to a ransomware attack, in many instances, because hackers have encrypted the data, the healthcare entity isn’t left with a whole lot of options other than paying the criminals so they can restore operations.
However, authorities such as the FBI advise victims not to pay ransoms to the hackers. “Payment does not guarantee files will be recovered. It may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities,” according to a recent FBI flash alert.
Still, for many healthcare entities, there is no right answer when they have been breached and their data is held at ransom. On one side of the coin, there isn’t even a guarantee that files will be recovered, even if payment is made, as the FBI states—plus it’s bad precedent to give into criminals—but on the other side, when victims are faced with an inability to function, it might feel that paying the ransom is better than having core systems shut down for days or weeks.
Then there’s the significant cost component to the decision. Throughout last year, 92 individual ransomware attacks affected more than 600 separate clinics, hospitals, and organizations, and over 18 million patient records. The estimated cost of these attacks in total is nearly $21 billion, according to a recent analysis from security company Comparitech. Based on the average ransom demand in 2020 being $169,446, hackers demanded an estimated $15.6 million in ransoms. What’s more, hackers received at least $2,112,744 in ransom payments, not counting other undisclosed amounts. But the cost of downtime is also massive; a 2017 estimate places the average cost per minute of downtime at $8,662, and this would mean the cost of downtime to healthcare organizations in 2020 was around $20.8 billion.
When the Klamath Falls, Ore.-based teaching hospital Sky Lakes Medical Center experienced a ransomware attack last fall, officials initially said they were “anticipating a detrimental financial impact on the medical center, according to the organization’s media team that reported on the incident. It was soon learned that the Ryuk ransomware actors were behind the attack, and were also behind several others on hospitals in the span of just 24 hours.
In a recent interview describing the incident, Sam Stewart, network systems analyst at Sky Lakes Medical Center, recalled that back on October 26, an employee who was set to leave the organization had a meeting with HR, and following that meeting, randomly got an email that looked like it contained information from Sky Lakes’ HR department. That went out to a document that was stored in Google Drive; the employee clicked on that document, and it downloaded something. The employee mentioned after the fact that her computer screen went dark for a second, but she restarted and didn’t think much of it from that point on.
About 12 hours later, Sky Lakes’ after hours on-call team was notified of a few applications that were offline, and some others that were a little slow and not functioning as well as they usually do, Stewart explains. It was around that time when the organization recognized the first compromised files and servers that were infected with that ransomware. “Shortly after that, we started our recovery efforts, and within about 24 hours, our leadership team started to advise us to turn off all computers in the organization, which [encompassed] about 2,500 devices, as well as all of our servers that hosted our applications—so [approximately] 600 servers—that we then had to turn off to help limit that spread.”
At that point, Stewart continues, “We were basically in full downtime, and we had to cut ties with our partner hospital that hosts our medical records. All other business and clinical applications were offline at that point—including email. We do practice downtime procedures fairly regularly with our providers and nursing staff, so that part wasn’t a huge deal, but when downtime becomes prolonged, then you have a big problem,” Stewart says. In the near term, he adds, Sky Lakes had to revert back to “old-school documentation methods with everything on paper.”
As the incident was ongoing, Paul Stewart, president and CEO of Sky Lakes, acknowledged that the organization had to “cut back on some elective and outpatient services while our systems have been down. We are also having to spend money on new equipment that we had not anticipated, such as PCs and servers, etc., as well as extra labor expense.” He further stated that the focus was on the enterprise’s clinical systems, while “other systems, such as accounting, billing, email and other support systems have a lower priority and will take longer to restore to full functionality.”
Network analyst Sam Stewart added in our interview that for the most part, the majority of patient care wasn't heavily impacted. “We were able to treat our patients, [though] we did have to postpone some non-critical surgeries, just to ease the strain on the staff. Our first system recovered was on November 7, and that was back into production use by November 9. That was an application in our cancer treatment center, which was one of our higher priorities to get back online. Cancer doesn't wait around for anybody and doesn't care if your computers are online or not. So this was one of our more critical ones to try to get up sooner than later. About 23 days after the initial attack on October 26, we were able to get access back to our medical record system hosted in Epic. So, overall, patient care survived,” Stewart contends.
Sky Lakes bucks the trend
CEO Paul Stewart emphasized early on that the organization “will refuse to pay any extortion.” That’s easier said than done, but one key for Sky Lakes to stand their ground against the hackers was the partnership it had with Cohesity, an information technology company whose IT architecture aims to ensure that an organization’s backup data cannot be encrypted, modified or deleted.
Sky Lakes had been using Cohesity as its backup server solution for about a year before this incident, and the first step of that process is to create a “safe network” that is isolated from everything else, meaning that nothing could get into it unless someone physically puts it in there, explains Sam Stewart. The next step involved leveraging the aid of a third-party security firm, as well as the Cisco Talos Intelligence Group, to identify when the initial ransomware attack started. That gave leaders at Sky Lakes a date to work backwards from, so they could then assume that any point after October 25, everything in the system was dirty. “We had to find a point in time where we had known clean backups, and then we could start the recovery process,” he says.
At that point, all Stewart and his team had to do was click “recover,” thus enabling Sky Lakes to instantly clone the last good backup of its NAS (network-attached storage) shares and serve those files directly from the Cohesity cluster—recovering the service to users without the need to move data. “That allowed us to get the virtual servers back online, and from there, we were able to get security tools in place on them to check for any signs of compromise that might have been missed, as well as perform scans to validate they were actually clean,” Stewart explains.
Once that took place, data was put into the established clean network for application testing and validation. “Once we validated that they were clean and good to go, we moved them back into production,” Stewart says. In essence, when criminals do get inside an organization’s system and demand a ransom for the data they have “kidnapped,” Cohesity lets customers simply replace the encrypted data with clean data in minutes, which can the criminals’ demands moot.
Stewart says that Sky Lakes’ leadership, from its CEO all the way down, made it very clear from beginning that there was no intention to pay the ransom. “They were confident in our services, and as IT staff, we were confident in Cohesity’s backups that we should be able to recover everything.”
So the initial message conveyed to our staff, he says, was that “we have no intention of paying that ransom, for a multitude of reasons. For one, we don't want to further fund terrorist organizations, and two, there's no real guarantee they're actually going to help you unlock your files. They are criminals by nature, so taking their word that if we pay you, you're going to help me, is a little farfetched,” Stewart contends. He adds, “And even if we had not been able to recover, I believe the message still would have been that we aren’t paying the ransom, and we will rebuild from the ground up.”