Here is why Hancock Health decided to pay the SamSam attackers' $55k ransom

In an uncommon, less-advised move, officials at Hancock Health in Greenfield, Ind., decided to pay hackers' ransom — and made that fact public knowledge.

The hospital was struck Jan. 11 with a strain of ransomware known as SamSam that targeted "files associated with the most critical information systems," Hancock Health President and CEO Steve Long wrote in an organization blog post. The hospital paid the hackers roughly $55,000 in bitcoin in exchange for private encryption keys to unlock its files.

Now, Mr. Long is sharing his decision-making processes with other hospital leaders. "My hope is that this retelling of the events will help shed light into the extraordinary efforts our organization mounted in response to a potentially disastrous event," he wrote.

Hancock IT staff first discovered the hospital was facing a cyberattack when it noticed "negative changes in system performance." Shortly after, computer terminals throughout the hospital displayed messages indicating that the system was under attack. Hancock then shut down its network and isolated the virus to its backup site, but the "electronic tunnel between the backup site and hospital" had already been compromised. Replacing the locked files with clean backups was no longer an option, according to Mr. Long.

"[T]he core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers," Mr. Long wrote. "Thus, backup of the rest of the network systems would never have been a possibility and acquisition of the decryption keys was unavoidable."

Between bad weather and this year's aggressive flu season, the hospital's decision-makers had to react swiftly, he added. "[W]e wanted to recover our systems in the quickest way possible and … made the deliberate decision to pay the ransom to expedite our return to full operations."

The hospital contacted its legal advisers and cybersecurity firm Pondurance, as well as the FBI, for its investigation. It determined no patient information has been diverted out of the hospital and hackers didn't access patient data inside the network.

Through that weekend, systems were slowly brought back online, and by Sunday evening, Hancock's EMR was functional again. "By Monday morning, critical information systems were back online and the work of the disaster recovery team was beginning to shift to monitoring the network and ensuring remaining systems work was completed, tasks that will be ongoing for some time," Mr. Long wrote.

Mr. Long explained the attack was initiated by a "sophisticated criminal group" it believes was located in Eastern Europe. The group has obtained login credentials from a vendor that supplies Hancock with hardware for one of its critical information systems.

"That said, the attack on Hancock Health was not random, it was a pre-planned event that used the hacked login ID and password of an outside vendor to gain entrance into the system.  The fact that this was a premeditated attack specifically targeted on a health care facility makes the attack indefensible in my estimation," Mr. Long wrote.

Click here to read the full blog post.

More articles on cybersecurity:

Microsoft to discontinue HealthVault Insights, the company's mHealth experiment

Healthy individuals more likely to use sleep-tracking apps, study suggests

Astria Health selects Cerner CommunityWorks for EHR, RCM system

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months