'We did what a hospital does every day' — How Hancock Regional responded to a ransomware attack

It all happened in less than 48 hours: a ransomware attack, vital hospital computer systems shut down, a bitcoin payment secured on the dark web, and decryption codes used to make systems operational again. A cyberattack no one saw coming in January 2018 taught Hancock Regional Hospital officials a valuable lesson: Investing in cybersecurity is crucial.

Steve Long, CEO of the Greenfield, Ind.-based hospital, has spent the last year not only making sure his hospital's computers are safe, but also sharing his story about the decision to pay a ransom to hackers who targeted Hancock Regional Hospital's data.

Mr. Long was getting ready for bed on Jan. 11, 2018, like just any other Thursday night, when he received an influx of text messages and emails from staff describing a message on PC screens saying the hospital's systems were encrypted with SamSam malware.

The message was straightforward: Pay a ransom in bitcoin in less than one week or the data would be encrypted permanently. The hackers even included step-by-step instructions detailing how Hancock Regional could get the decryption keys.  

"Our immediate response [an hour or two into the attack] was to turn off all the computers that we had so that we could mitigate the further transference of the malware," Mr. Long said. "Then we pulled out our disaster response plan and decided what to do."

All heads turned to focusing on patient care. This meant turning to paper copies as the backup plan. With computer systems turned off, administrators, nurses and physicians turned to personal cellphones and non-hospital computers to communicate.

During the shutdown, more than 1,200 units were turned off and signs were posted around the hospital reminding staff to keep all computers shut down. Hancock Regional also established an incident command center. Nonessential staff were called off.

Mr. Long ensured communication through the cyberattack would not be lost.

Minds wandered about how this could happen. What was the extent of the attack? So, Mr. Long and his team turned to what his emergency response plan said — contact experts.

While experts analyzed the source of the incident, the hospital kept operating.

"Babies were born, surgeries were completed, patients were treated in the emergency room and admitted, imaging and lab testing was performed. We did what a hospital does every day," Mr. Long said.

The 3 a.m., $55,000 decision

The FBI recommends organizations hit with ransomware attacks not pay, Mr. Long said. However, refusing to pay comes with consequences. It's important for hospitals and health systems to consider whether they have reliable backups, how long it will take to restore from backups and what the value of time is for affected providers.

"When you are in a situation where the entire system is encrypted, there aren't a lot of choices. At the time, we were uncertain whether we had backups. We went on the assumption that there wasn't going to be anything. So, we decided to pay the ransom," Mr. Long said.

Paying the ransom came with risks. Would Hancock Regional be a future target? Would Mr. Long and the hospital staff actually get their systems and data back? Would the hackers come back asking for more money?

Doubts loomed and questions surfaced, but Mr. Long and his staff made the decision to pay the ransom, which totaled $55,000 in bitcoin.

Like many hospitals, Mr. Long didn't have bitcoin on hand. It can take several hours to acquire, Mr. Long said. He waited. And then the Hancock Regional team did something not many hospital leaders or everyday people expect to do: They went to the dark web to make the payment to the hackers.

Very early in the morning that following Saturday, the team made the exchange for the decryption codes.

"There were many, many hundreds of decryption codes. After we got our hands on the decryption codes, we had to validate them and then finally use the decryption codes. It took us a day and a half to get our critical systems up and running again," Mr. Long remembers.

By Monday most systems were operational, and within a few weeks all systems were up and running as usual.

Invest in cybersecurity

Since the cyberattack, Mr. Long and his team have analyzed the incident. It has also been important for Hancock Regional to share its story with other hospitals and health systems to ensure others are prepared.

When the incident happened, Mr. Long opened his hospital's doors to local newspaper the Greenfield Reporter. He detailed the incident honestly to become a spokesperson on the importance of cybersecurity. The ransomware attack even gained national attention from USA Today and CBS News. Through it all, Mr. Long was open to talking about the ransomware attack.

Over the past 18 months, Mr. Long has continued to be an advocate for healthcare cybersecurity. He and Hancock Regional were featured on "60 Minutes" in May, where Mr. Long and his team members discussed the importance of having an emergency response plan in place. Mr. Long stressed the importance of being transparent about the incident so other hospitals and health systems can learn how to respond to other cyberattacks. 

"We found that we were average and perhaps even a bit above average when it comes to being prepared. We were doing the things that all hospitals were supposed to do — penetration testing, network monitoring, antimalware software, etc. … Immediately after the cyberattack resolved, we installed a high-end anti-malware system that uses artificial intelligence to look for unusual patterns in the network. We also have different hardware that is monitoring on our network. And we also have a command center. So now we are among the best prepared," Mr. Long said.

All these cybersecurity investments came with a price tag, but to Mr. Long the security is more than worth the expense. "While we spend roughly three times more per year now than we did in the past, as a percentage of our total operating expenses, it is still very small and an incredibly worthwhile investment,” Mr. Long said.

Patients continue to funnel in and out of the hospital with no skepticism, Mr. Long says. Like what happened during the ransomware attack, Hancock Regional is operating as it did before the attack, just with added cybersecurity in place.

"One of the reasons we never lost trust with patients is that everyone was transparent during the data breach. We communicated clearly so all hospital staff knew what was going on. We didn't have an issue with lack of trust from patients," Mr. Long said.

Hancock Regional was even able to celebrate its emergency response. A month after the cyberattack, Mr. Long and the hospital staff wore shirts that read, "I survived the cyberpocalyspe of 2018 and all I got was this silly T-shirt."

For other hospitals looking to be better prepared for a cyberattack, Mr. Long recommends exercising a response plan. Health systems should conduct enterprisewide risk analysis, develop and implement remediation plans, and regularly update and patch software.

No CEO ever expects to witness a cyberattack, but as other hospitals can attest, it can happen to anyone.

More articles on cybersecurity:
Quest Diagnostics hit with class-action lawsuit following 11.9 million-patient data breach
Humana alerts 5,500 members after hackers posed as physicians and exposed patient data
4 common cyberattacks hospitals may encounter — Hackers stealing physician identities is one

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months