A Teachable Moment: Hospital Goes Public after Making Ransom Payment

It’s unusual for victims of ransomware to publicly acknowledge that they have paid hackers to go away. But a regional hospital in Indiana has made public its experience last week with a “sophisticated criminal group” as a teachable moment for other institutions faced with the vexing choice of whether to give in to the ransom demands of cybercriminals.

The Hancock Regional Hospital in Greenfield, Indiana – a general medical and surgery facility located 20 minutes from Indianapolis -- was attacked last Thursday night by a ransomware called SamSam, which targeted the hospital’s “most critical” information systems including more than 1,400 files.  The hospital paid the hackers about $50,000 in Bitcoin for private encryption keys to unlock its files and restore its IT network.

“My hope is that this retelling of the events will help shed light into the extraordinary efforts our organization mounted in response to a potentially disastrous event,” wrote the hospital’s Chief Executive Officer, Steve Long, in a blog post explaining his decision to go public with details of the attack and decision to make the ransomware payment.

Hancock Regional Hospital’s experience with ransomware isn’t an isolated instance.  Ransomware attacks in the healthcare industry have been on the uptick.  One recent survey says that ransomware attacks have increased by almost 90 percent in the sector during the past year.  In 2016, the U.S. Department of Health and Human Services Office for Civil Rights issued guidance to help the industry address the threat.

The Hancock attack started last Thursday evening after IT staff at the hospital noticed “negative changes in system performance.”  Moments later, messages were displayed on computer terminals throughout the hospital saying that the system was under attack and that decryption keys could be purchased with Bitcoin payable on the Dark Web.  The message contained detailed payment instructions.

According to the CEO’s blog post, the hospital then shut down its network.  The malware was eventually isolated at the hospital’s back-up site but by then – the electronic tunnel between the backup site and hospital had already been compromised by the hackers – which meant that purging encrypted data and replacing it with clean data was no longer a viable option.

“[T]he core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers,” wrote Long.  “Thus, backup of the rest of the network systems would never have been a possibility and acquisition of the decryption keys was unavoidable.”

Long also noted that the hospital was “in a very precarious situation at the time of the attack,” between bad weather conditions and a nationwide flu epidemic.  “[W]e wanted to recover our systems in the quickest way possible and … made the deliberate decision to pay the ransom to expedite our return to full operations.”

A forensic investigation determined that the hackers – most likely from Eastern European – obtained the login credentials of a vendor that provides hardware for one of the critical information systems used by the hospital.  Using the stolen credentials, the hackers targeted a server in the hospital’s emergency IT backup facility.

Before paying the ransom, the hospital brought in the FBI’s cybercrime task force for “advisory assistance.”

Another Indiana hospital, Adams Memorial Hospital in Fort Wayne, also acknowledged a ransomware attack the same day and said its servers were affected but did not release additional information.  A statement posted to the hospital’s website said there “no interruption in patient care or to the quality and safety of patient care was experienced … [and] we do not believe any patient information has been compromised.”

It’s not clear if the two attacks are related.

And a third healthcare company, Allscripts, also reported a ransomware attack late last week.  Allscripts, a major player with its popular electronic health records and e-prescribing systems, said the attack affected the company’s data centers in North Carolina. In a statement, an Allscripts spokesperson said, “We are investigating a ransomware incident that has impacted a limited number of our applications. We are working diligently to restore these systems, and most importantly, to ensure our clients’ data is protected. Although our investigation is ongoing, there is currently no evidence that any data has been removed from our systems.”