Lessons learned from ransomware attack on small Indiana hospital | Crain's Indianapolis

Lessons learned from ransomware attack on small Indiana hospital

Scott Shackelford is an associate professor of business law and ethics at the Indiana University Kelley School of Business, and serves as chairman of IU Bloomington’s cybersecurity program and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance.

A ransomware attack on a Central Indiana hospital in January serves as a reminder that hackers target not only large companies but smaller organizations such as Hancock Regional Hospital in Greenfield, because the attacks are so easy to launch, an Indiana University expert said.

The attackers do not need much money nor even much expertise in technology, said Scott Shackelford, associate professor of business law and ethics at the Kelley School of Business, who is chairman of IU Bloomington’s cybersecurity program and director of the Ostrom Workshop Program on Cybersecurity and Internet Governance there.

“A lot of these attacks are just spewed out,” Shackelford said. “If they get a 1 percent hit rate, they will come out ahead. You really don’t even need any technical expertise. You can rent ransomware and launch them. Some ‘services’ say you don’t have to pay unless you’re successful.”

Ransomware attacks are not just the work of high-tech criminal organizations or crafty nation-states, he said. “Anybody with a motive can do it because the means are pretty limited,” Shackelford said.

As a result the attacks have been on the rise for several years, he said. One study suggests that ransomware attacks climbed from 930 per day in 2015 to 1,200 per day in 2016, Shackelford said.

Last month Hancock paid a ransomware attacker an estimated $55,000 in bitcoins to decrypt more than 1,400 files encrypted with SamSam ransomware using a hospital vendor’s login credentials, officials said.

“Of course the team was shocked by the intrusion,” hospital spokeswoman Jenn Cox said. “You never expect to get that message, call, etc. Was it always in the back of our minds? Of course. You don’t take all the precautions we do and others do as well, if the thought of it happening wasn’t a reality.”

A “sophisticated criminal group” that hospital officials believe was based in Eastern Europe used the vendor’s credentials to target a server in the hospital’s emergency IT backup facility many miles from the main campus, said Steve Long, president and CEO of Hancock Health.

“This malware was targeted to encrypt data files associated with the most critical information systems of the hospital. Fortunately, patient life support systems were not directly affected,” Long said in a prepared statement. “The message included step-by-step instructions required to obtain the decryption keys and noted that lack of payment within seven days would result in permanent encryption of the data.”  

IT staff immediately shut down all network and desktop systems of the hospital’s 1,200 employees, and signs were posted explaining the attack, he said. Hancock leaders contacted attorneys and cybersecurity specialists, and eventually the FBI “became embedded in the process,” Long said.

“When the source of the infection was identified on a server at the backup site and it was learned that the electronic tunnel between the backup site and the hospital had been compromised, it became clear that there were no easy-to-implement means of purging the encrypted data and replacing it with clean data from backup systems,” he said. “With this in mind, the decision was made to purchase the decryption keys.”

Hospital officials eventually determined that although backup medical files had not been accessed, core portions of backup files from many other systems had been “purposefully and permanently corrupted” by the hackers, Long said.

“Thus, backup of the rest of the network systems would never have been a possibility and acquisition of the decryption keys was unavoidable,” he said.

The hospital learned many useful lessons from the experience, including identifying simple “process issues” such as making sure enough paper is on hand should record keeping need to go “old school” and remembering how to communicate without electronic devices, Cox said.

“Simple things like what happens to your scheduling and phone tree when phones don’t work?” she said. “What is your plan B? Also, you are never completely protected from a situation such as a cyber attack. It can happen to anyone, unfortunately.”

The hospital has no regrets over paying the ransom, Cox said. “Our CEO made the final decision based on the information given to the team by the FBI,” she said. “It was the best and safest choice in our opinion.”

Paying ransom does encourage attackers, but some agencies have no other choice, Shackelford said.

“It’s good advice to ideally not pay up,” he said. “It makes more of a benefit in cost-benefit analysis of the behavior. But a lot of organizations don’t have a choice. When you don’t have many choices or a program set up to help them investigate and respond to recover files, what else can you do?”

The notion that hackers target only large organizations with lots of money is simply not true, Shackelford said.

“It’s not uncommon for even small organizations to be targeted as well,” he said. “They’re not going to ask everyone for $1 million in bitcoin. If it’s even $1,000 or a couple thousand, it’s more likely people will pay up. It’s not uncommon to make ransom demands reasonable for the size of an organization and what they might pay. But what is reasonable seems to be spiking.”

February 12, 2018 - 11:46am