MedStar Shuts Systems After CyberattackApparent Ransomware Attack Follows String of Similar Hospital Assaults
This story has been updated.
See Also: 2016 Social Engineering Report
A March 28 cyberattack that may have involved ransomware forced MedStar Health, a 10-hospital system serving Maryland and the Washington, D.C. area, to shut down many of its systems to avoid the spread of the malware.
The attack against MedStar Health comes on the heels of other recent ransomware attacks that targeted Methodist Hospital in Kentucky, two California hospitals operated by Canada-based Prime Healthcare Inc., and also Ottawa Hospital in Canada (see Hospital Ransomware Attacks Surge; So Now What?). And in February, Hollywood Presbyterian Medical Center in California paid extortionists a $17,000 bitcoin ransom to unlock its data, which was maliciously encrypted by extortionists using ransomware.
In a March 28 statement, MedStar said, "Earlier this morning, MedStar Health's IT system was affected by a virus that prevents certain users from logging in to our system. MedStar acted quickly with a decision to take down all system interfaces to prevent the virus from spreading throughout the organization."
Then, in a update posted the afternoon of March 29, MedStar noted: "Significant progress is being made toward restoring functionality of MedStar Health's IT system. ... After a careful assessment and testing overnight, we are working to restore the majority of our IT systems today. We are using backup systems, including paper documentation - a process used before the advancements of technology - where necessary, and as an additional layer of support to our clinical operations. We will continue to partner with experts in the field of IT and cybersecurity, as well as law enforcement, to continually assess the situation as we safely restore functionality."
The statement also noted: "With a few unique exceptions, all of our doors remain open. ... We have no evidence that patient information has been compromised or stolen in any way. Patient information will not be added to any system without ensuring it is completely free of any and all viruses and security threats."
On March 30, MedStar provided an additional update: "Within 48 hours of the malware penetration on MedStar Health's information system, the three main clinical information systems supporting patient care are moving to full restoration, and enhanced functionality continues to be added to other systems. ... Restoration of additional clinical systems continues, with priority given to those related directly to patient care. ... Systems that enable patients to make medical appointments are moving toward full restoration, and this will reduce the disruption in appointment setting experienced in the initial hours following the detection of malware."
MedStar did not reply to Information Security Media Group's request for comment. In addition to 10 hospitals, MedStar operates numerous urgent care and ambulatory care facilities, as well as physician offices in the Baltimore and Washington area. The organization's website says it cares for more than 500,000 patients each year.
The Washington Post reports that the FBI is investigating the breach. The newspaper also reports that two MedStar employees say the malware attack involved a request for a ransom, but MedStar hasn't officially confirmed that account.
In a statement provided to ISMG, an FBI spokeswoman says, "we cannot confirm the existence of an investigation, [but] the FBI is aware of the incident and is looking into the nature and scope of the matter."
The recent string of ransomware attacks is leading to a discussion of whether HIPAA's breach notification requirements need to be clarified (see Ransomware: Time for a HIPAA Update?).
Security experts say the recent ransomware attacks on hospitals spotlight how attractive healthcare organizations are to cybercriminals and how vulnerable many of those entities are to cyberthreats.
"Healthcare systems have a low barrier to entry as their networks, systems and devices are built for patient care and were never built for security," says James Carder CISO at security services provider LogRhythm Labs. The lesson that should be learned from these recent incidents "is that cybersecurity and patient care are directly connected," he says. "The networks, systems and devices need to be adequately protected. They need to be built ready to operate in a somewhat hostile environment."
And the ransomware assaults that are hitting the headlines are likely just the tip of the iceberg, he says. "Healthcare providers should understand that they are a high-value target for a number of threat actors. ... Most healthcare organizations are vulnerable to and dealing with attacks from nation-state threat actors, financial crime groups and even terrorists. The majority of these go undetected, uncontrolled and unreported."
Although Hollywood Presbyterian admitted paying a ransom to unlock its data from extortionists last month, several other recently attacked hospitals say they've managed to address similar attacks without paying ransoms.
Two of Prime Healthcare's hospitals in California - Chino Valley Medical Center and Desert Valley Hospital - reported "server disruptions" on March 18 that were linked to ransomware, a spokesman told ISMG on March 23. The organization's IT team immediately implemented protocols and procedures to contain and mitigate the disruptions, he says. "The hospitals remained operational without impacting patient safety, and at no point was patient or employee data compromised."
Also Methodist Hospital in Henderson, Ky., in a March 18 statement, revealed it had been a victim of a ransomware attack, saying the hospital's information systems department "responded quickly to the virus and immediately shut down the system to control the virus from spreading." While the system was down, a backup system was activated, the hospital says. "The backup system ran smoothly and allowed the hospital to continue its daily operations without interruption."
On March 22, a Methodist Hospital spokeswoman told ISMG, "the virus has been contained and there have been no further outbreaks. Our system is up and running." The incident was "a result of a malicious email that made it through the spam filter and was opened. No ransom was paid; they were asking for bitcoins. The situation has been reported to the Henderson Police Department in Kentucky, and the FBI is investigating. No patient data or records were compromised."
Earlier this month, Ottawa Hospital in Canada contained ransomware infections on four of the hospital's 9,800 computers that were attacked over a three-week period, a hospital spokeswoman tells ISMG.