- As healthcare organizations continue to implement new technologies, their data privacy and security measures cannot be an afterthought. This is especially true with healthcare ransomware attacks on the rise, which could compromise patient safety while also putting data at risk.
Hugh Chatham Memorial Hospital recently experienced an attempted ransomware attack, but was able to detect the intrusion, disable the affected account, and restore files. Hugh Chatham utilizes Varonis Data Classification Framework, DatAdvantagefor Exchange and Windows, and DatAlert.
Hugh Chatham serves patients in the Yadkin Valley region of North Carolina and Virginia, and has more than 800 employees.
According to Network Administrator Rick Thompson, the potential ransomware attack is a good example of why the hospital needs to stay current on the latest cybersecurity trends and why it needs to pay more than just “casual attention” to the environment.
An employee remotely connected to the hospital network, and then went onto a site that started downloading Locky. However, Hugh Chatham can identify who has access to which files, when the file are accessed, and can even set triggers for any unusual activity. This includes mass encryptions and other potential ransomware activity.
Thompson explained that he did a demo and test installation of Varonis several years earlier, and had thoroughly enjoyed the experience. He just didn’t have the budget at the time to put it into place. But he kept promoting it as a budget item and it was eventually implemented.
“My original intent was to use the data advantage components of Varonis to get a better handle on network-shared files and folder security,” Thompson asserted. “Knowing that that was my initial exposure to it, they had a really super solution for handling network files and folder security.”
Over time, Varonis developed its product to include additional features, such as the data-alert feature.
“We started the install in early May and took some time to get it installed, a knowledge transfer,” Thompson said. “I basically used that opportunity to take control over a terabyte of network file shares and fix the security. And when I say fix the security, I’m really referring to taking the existing security, evaluating it, and changing it into what I really felt like it needed to be.”
It was toward the end of the installation when the employee inadvertently accessed Locky, Thompson stated. The initial indicator was an email notification, as the hospital had set up such alerts for ransomware.
“As soon as we saw the alerts, we disabled the account and basically took what could have been a potentially disastrous situation and turned it into a very minor situation,” he recalled. “We still had to recover some files and we had to recover a couple servers…but we were able to isolate the incident and mitigate the damage, keep it contained, recover from it, do some education, and expand.”
Learning from the potential ransomware attack
Thompson maintained that the whole experience was a learning process. Even so, the hospital used the tools it had and was able to contain the incident and prevent it from causing an extended amount of damage.
“I’m not a big fan of coincidence,” he said. “I’m more inclined to believe that we installed our application and we got our system upgraded to look for and deal with ransomware.”
It had less to do with luck, and was more about solid planning and having a decent idea of what kind of structure you wanted your security to look like, Thompson added.
It was also beneficial that both he and Hugh Chatham CIO Lee Powe think very similarly in terms of security.
“We’re both ex-military, and we both have strong security backgrounds,” Thompson explained. “We understand that it’s not a question of if you’re going to encounter this, because it’s just not an ‘if.’ It’s a when you encounter it, how are you going to respond to it?”
Recoverability is the best defense against file encryption, continued Thompson. If you can’t stop a file from being encrypted, the next best thing is to be able to recover it from an unencrypted state.
“Putting those pieces in place, having the ability to recognize when you encountered the event, that’s when you have to react,” he warned. “You can’t wait a day. You can’t wait an hour. You have to react when you find out that you’ve got the problem.”
Thompson explained that as Hugh Chatham’s installation continued, it developed additional components. The hospital used the data alert and the scripting capabilities of that to create a rule that provides notification when someone triggers an event, and also goes to another level by disabling the user account and closing the session.
“It pulls the trigger and stops the user’s account quicker than we would using a manual intervention,” he explained. “And we test that. I’ve tested it a number of times, and it just works. It works beautifully.”
Thompson reiterated that it’s not a question of being able to keep everything out. Rather, healthcare organizations need to recognize that when they have a problem, they work to stop it quickly and then recover from any of the fallout.
Keeping the focus on recoverability and data backups
Regardless of the type of security structure that is in place at a healthcare provider, Thompson maintained that recoverability needs to be a key focus area. The hackers only have to be successful once, whereas facilities have to be successful every time, he added.
“The degree of your exposure has more to do with how your security is structured, how you’re protected, and how you can recover from various incidents,” Thompson explained.
It’s necessary to understand and analyze your own data, find out what’s critical, find out what you have to have, find out where it’s kept, and then develop methods of keeping copies in places where it’s not readily accessible. Ransomware is just the flavor of the month, said Thompson.
“Every year, every couple of years, a new vulnerability comes up,” he stated. “And when it does, the industry as a whole responds, and they react to it, and then you move forward.”
Building the strongest security platforms are going to do very little good if that one in a thousand chance happens and unauthorized parties find access, encrypt the data, and there is not a reliable backup in place, Thompson continued.
“All that security was very nice, but it didn’t protect the data, and the data protection, it requires the ability for you to recover it,” he said. “Organizations need to not just keep that original copy in pristine condition but to be able to recover that data. If you focus on that, then a lot of the rest of it becomes a good deal easier to work with.”