- Cass Regional Medical Center in Harrisonville, Missouri, has diverted trauma and stroke patients and shut down its EHR system due to a ransomware attack, the hospital said in a July 9 statement on its website.
Cass became aware of the ransomware attack on its IT infrastructure at 11 AM on Monday. The attack disrupted its internal communication systems and access to its EHR system.
In response to the attack, the provider’s EHR vendor, MEDITECH, has shut down the EHR system until the attack is resolved.
Cass stressed that it has found no evidence that patient data has been breached.
The hospital initiated its incident response protocol within 30 minutes of the first signs of the ransomware attack.
Patient care managers met to develop plans to ensure that patient care continued to be provided, while IT and senior leaders worked with law enforcement and cybersecurity experts to develop a resolution to the attack.
“Our primary focus continues to be on our patients, and meeting our mission to provide health care services to our community,” said Cass Regional Medical Center CEO Chris Lang. “We are deploying every resource available to us to resolve this situation quickly so we can resume normal operations.”
Monday afternoon, the hospital decided to “go on ambulance diversion for trauma and stroke in order to ensure optimal care for those patients.” Cass said it will continue to evaluate the situation and respond accordingly.
Cass could not be reached on Tuesday for an update to the ransomware attack response.
Ransomware attacks are top of mind for most healthcare IT pros. In fact, a ransomware attack is the type of cyberattack that most worries them, according to a survey of 102 HIMSS18 attendees by security firm Imperva.
Cass was smart enough to have an incident response protocol ready to go when the ransomware attack hit. Unfortunately, one-quarter of respondents to the Imperva survey did not have an incident response plan in place.
In March, HHS warned about attackers using SamSam ransomware to target healthcare and government organizations.
In the first quarter of this year, SamSam ransomware attacks occurred at Indiana-based Hancock Health Hospital and Adams Memorial Hospital, cloud-based EHR provider Allscripts, the municipality of Farmington in New Mexico, an undisclosed US industrial control system company, Davidson County offices in North Carolina, Colorado’s Department of Transportation, and Atlanta’s systems and services.
The SamSam hackers attack open remote desktop protocol (RDP) connections and break into networks by carrying out brute-force attacks against these endpoints. Because SamSam hackers attack RDP connections, HHS recommended that healthcare organizations restrict access behind firewalls with RDP gateways and virtual private networks, use strong/unique username and passwords with two-factor authentication, limit users who can log in using remote desktop, and implement an account lockout policy to help thwart brute force attacks.
In its statement, Cass did not say what type of ransomware had infected its systems.
Last year, numerous hospitals and healthcare information systems were affected by the WannaCry ransomware attacks, which targeted vulnerabilities in the Windows 7 operating system and infected systems using phishing emails.
HHS and other US agencies warned healthcare organizations at the time to exercise caution in their online activities, especially when it comes to opening emails.
HHS suggested the following steps to protect against ransomware attacks through phishing email:
• Only open emails from people you know and that you are expecting. The attacker can impersonate the sender, or the computer belonging to someone you know may be infected without his or her knowledge
• Don’t click on links in emails if you weren’t expecting them — the attacker could camouflage a malicious link to make it look like it is for your bank, for example
• Keep your computer and antivirus up to date — this adds another layer of defense that could stop the malware
The first and best line of defense against ransomware attacks is employing cybersecurity best practices and training employees on those practices.