- When a ransomware attack hits a healthcare provider, it can obviously be financially devastating, but it could also interfere with patient care. Physicians might be unable to access health records, for example, which could bring legitimate harm to patients.
Organizations must have necessary detection and mitigation measures in place, but also need to have a plan for recovery, ensuring that normal operations can resume as soon as possible.
At approximately 2:30 a.m. on Sunday, April 9, 2017, Erie County Medical Center (ECMC) received a message that no healthcare provider wants: Pay the ransomware and we will re-enable your systems.
Buffalo, New York-based ECMC is a safety net hospital, meaning that it primarily provides care for lower income populations. It is also a Level One adult trauma facility, which further stressed the need for it to maintain regular operations in the wake of the ransomware attack, said ECMC Vice President of Communications and External Affairs Peter Cutler.
“When something like what happened in April occurs, it makes the whole situation all the more challenging,” Cutler told HealthITSecurity.com.
“When it was detected, the IT personnel who were on site immediately notified their superiors, who then notified members of our executive leadership,” Cutler said. “We then immediately shut down the hospital’s entire computer system proactively. It was at that point that we started to deal with this pretty remarkable circumstance.”
ECMC had been hit with an extremely sophisticated ransomware attack, Cutler explained, and said that the first challenge the hospital faced was ensuring that clinicians could access patient health records.
This is where Western New York's clinical information exchange (HEALTHeLINK) came into play.
“We brought laptop computers into the hospital and started there in the emergency department and worked our way through all of the critical care areas first,” Cutler recalled. “We started getting laptops in place in the critical care areas first and linked them to hot spots.”
“By having that pre-established relationship with an HIE like HEALTHeLINK, our clinicians were able to access patient health records that they were initially incapable of doing.”
HEALTHeLINK Executive Director Dan Porreca explained in a separate interview with HealthITSecurity.com that ECMC has been one of the most progressive users of the information exchange program, which ended up serving the hospital very well.
“What ECMC needed was to get reestablished with the more traditional ways of getting access to HEALTHeLINK, such as using laptops that were being deployed in MiFi, MiFi access to the internet,” Porreca said. “They needed to get usernames or passwords reset. Once they were in, they were fine, but they just needed that bridge to get access to HEALTHeLINK so they could better treat their patients.”
The ransomware attack recovery timeframe
The hospital’s EMR systems, including e-prescribe and CPIE, took approximately two weeks to be put back online, Cutler said. The “real data recovery,” such as ensuring payroll was back up, took closer to 45 days.
Cutler added that through the entire event and aftermath, ECMC did not have any diversions. Some elective surgeries were rescheduled, but the vast majority stayed on schedule.
“We had over 6,000 devices in the hospital, like laptop computers,” he stated. “The perpetrators did demand a ransom, which within 24 hours we had made the decision we were were not going to pay.”
Cutler reported that law enforcement consultations, including conversations with both state and federal agencies, concluded that ECMC should not pay the ransom.
“Even in the course of discussions with them, we knew we weren’t going to pay the ransom,” he said. “By doing that, we knew we were putting ourselves in a position of completely having to rebuild a hospitalized computer system from a ‘dirty circumstance’ into a new clean environment.”
“We knew it was going to be a daunting challenge,” Cutler continued. “The HEALTHeLINK component made that decision easier because we knew our clinicians in those critical care units were at least being able to see patient health records.”
The FBI has recommended on its website that organizations should not pay a demanded ransomware, as it does not guarantee that a computer network or system would be made accessible again.
Cutler said that ransomware attacks are becoming more sophisticated all the time, and it can be a very difficult situation for any type of organization. However, both the New York state police and FBI were helpful in advising how to approach the April incident.
“There are a lot of lessons learned here,” Cutler stressed. “We’re members of two healthcare organizations in our state: the Healthcare Association of New York State and the Greater New York Hospital Association.”
“We’ve communicated with them to better educate our fellow members and the people associated with those groups so that we can help should similar incidents arise. The information we’ve told them is valuable to them, on prevention, preparation, response and recovery.”
Porreca said that the situation showed why HEALTHeLINK must be proactive in working with all of its participants, such as hospitals, to be more fully embedded in their business continuity plans and crisis response plans.
“We need to have an internal process,” Porreca maintained. “We need our internal crisis response plan within HEALTHeLINK to make sure we're as prepared as we can be in the event something like this should happen again. And we need to be proactive with our participants to make sure that they understand what the process and procedures should be.”
Joining an HIE can be extremely beneficial to a healthcare provider, especially should something like the ECMC ransomware attack happen, Porreca said.
“For every provider organization that has an HIE in their community, make sure your data is getting there,” he noted. “ECMC has been providing data to HEALTHeLINK since 2008.”
“When the crisis hit, there was a lot of data on ECMC patients that we had available to them because they had been a data source,” Porreca continued. “I would encourage provider organizations to leverage, to learn about, and to work with their local HIEs and then build them into their business continuity plans and crisis response plans.”
It’s important for provider organizations to realize that this could be another potential benefit from connecting to an HIE. If an entity is at all hesitant about releasing their data into an HIE, what happened with ECMC a critical lesson.
ECMC’s Cutler said that staying calm was also one of the top things the hospital focused on. It was important to assess as quickly as possible what was really happening and to get in touch with expert consultants who could provide greater insight.
“We had to maintain the operation of the hospital and make sure that through all that was happening, we kept our patients’ needs in the forefront,” Cutler explained. “The mantra is ‘patients first.’ Yes, this is an attack on our organization, but we still have a responsibility to the people we have in our care, and that was our top priority.”
ECMC had also adjusted its cybersecurity insurance coverage the previous fall, Cutler added. The hospital’s policy had been reviewed by its general counsel and other experts and it was determined that it was not adequate in the current day and age due to how sophisticated attacks in general were becoming.
“Not that they had any foreshadowing, but they figured that looking at the industry and what other people were paying, it should be changed. They increased our coverage significantly and that will make a huge difference for us in this whole recovery process.”
Overall, being able to work collaboratively and cooperatively – both internally and with HEALTHeLINK – was huge for ECMC, Cutler said.
“The level of professionalism that our family exhibited throughout the course of that event was nothing less than extraordinary,” he concluded. “We reminded our community here that we are the type of hospital that they can rely on when things get really tough. When it happened to us directly, we demonstrated further just how we respond to those types of circumstances.”