Indiana hospital system, Hancock Health, said it paid hackers 4 bitcoin, or about $47,000, to unlock it’s network after a ransomware attack on January 11, 2018.
Hackers compromised a third-party vendor’s administrative account to the hospital’s remote-access portal and launched SamSam ransomware, a ransomware variant which encrypts data files on the systems and uses a private key to unlock them. It quickly infected the hospital’s IT system by locking out data and changing the names of more than 1,400 files to "I'm sorry."
Hancock IT staff first discovered the hospital was facing a cyberattack when it noticed "negative changes in system performance." Shortly after, computer terminals throughout the hospital displayed messages indicating that the system was under attack.
Hancock officials followed its incident response and crisis management plan. The hospital contacted its legal advisers and cybersecurity firm, as well as the FBI, for its investigation.
The incident was quickly contained and officials said the next focus was recovery.
The hospital was given just seven days to pay the ransom. Though officials said Hancock had backups of the affected files, it would have taken days or even weeks to recover them - and would have been more expensive.
“We were in a very precarious situation at the time of the attack,” Hancock Health CEO Steve Long said in a statement. “With the ice and snow storm at hand, coupled with one of the worst flu seasons in memory, we wanted to recover our systems in the quickest way possible and avoid extending the burden toward other hospitals of diverting patients. Restoring from backup was considered, though we made the deliberate decision to pay the ransom to expedite our return to full operations.”
Hackers released the files back to the hospital after receiving the bitcoins early Saturday.
“Before restoration, and to ensure containment, the team enhanced the security posture of hospital systems and the network. By Monday, January 15, 2018, critical systems were restored to normal production levels and the hospital was back online,” Hancock Health said in a release.
FBI forensic analysis found patient data was not transferred outside of the hospital’s network, and confirmed the motivation for the attack was ransom payment, not to steal patient data. Officials also stated that patient safety was never at risk.
The hospital's CEO stressed that the ransomware attack was not caused by the reckless behavior of the employees, though these types of attacks are commonly initiated by sending a malicious email with an attachment which infects the network when opened. In this instance the criminals managed to hack into the remote-access portal of the hospital.
The breach should serve as a wake-up call to healthcare (and all other) organizations, of all sizes, that ransomware attacks can occur - and their costs can be substantial.
The FBI, and many other security experts agree that organizations should not pay ransoms to hackers.
Peter Coroneos, the former chief executive of the Internet Industry Association and an expert on cyber policy, said whether or not to agree to ransomware demands presented practical and ethical dilemmas.
“As a matter of principle, the answer should always be no … based on the simple dynamics of perpetuating bad conduct. However, as a matter of practicality and necessity, the situation is somewhat more complex.”
Hancock Health was lucky that the hackers returned the files after paying the ransom, as there is no guarantee they would and hackers have been known to keep files and demand a second ransom payment.
There is another downside to paying a ransom, even if the files are returned. Hackers will likely place the business on a list of those willing to pay a ransom and can expect to be hit again in the future.
“There are lists out there, if you pay once, you may end up having to pay again because you’ve been marked as an organization that will pay,” said CynergisTek CEO Mac McMillan.
Coroneos states, “You really are rolling the dice if you choose to pay a ransom, and your chances aren’t good.”
Breadcrumb is a cybersecurity and executive advisory firm. Located in Central California, we partner with organizations throughout the US, protecting their critical assets from cyber breach. Contact us today for a no-obligation consultation.