According to a JAMA study published earlier this year, about half of all ransomware attacks disrupt healthcare delivery at large hospitals and healthcare systems .
But in small and mid-sized providers, often with tighter security budgets and fewer recovery resources, such attacks are not only damaging, but can disrupt the flow of care for days or even weeks.
Two years ago OrthoVirginia, the largest provider of orthopedic medicine and therapy in Virginia, was attacked by the Ryuk ransomware, resulting in loss of access to workstations and imaging systems, backup data needed for scheduled surgeries etc. And discuss building OrthoVirginia’s post-recovery cybersecurity strategy.
Ripley, with over 30 years of health IT experience in implementing health technology – she is currently working for a large orthopedic practice – also contributed to efforts to address cyber risk awareness within her organization Providers offer some important advice.
“Implementing cyber hygiene practices can be challenging when it is perceived to slow down or impede the delivery of health care,” Ripley said.
ask. Early in the pandemic, OrthoVirginia experienced what you call a “perfect storm,” which made it possible for cyber incidents to find their way into the network of physician-owned clinics. Can you describe the discovery of the incident, the impact of ransomware on your practice, and the circumstances your team faced recovering from?
Ripley. Absolutely. On February 25, 2021, our IT monitoring systems detected a malicious deployment of ransomware on our local network. We later learned that this was an advanced Ryuk ransomware attack.
The incident impacted our Windows servers, workstations, network storage and backups, but luckily, not our hosted [electronic health records]. When OrthoVirginia discovered the incident, it was able to stop the infiltration and block access to legacy data images and data files.
Later, our forensic investigators discovered that the malicious reconnaissance campaign began on or before February 23rd.
One of the most significant impacts on the web is our practice of encrypting our [picture archiving and communication system], which contains all of our x-rays, and is an orthopedic important part of surgery. The cybersecurity incident affected application and database services to view images.
However, there is no forensic evidence that the images themselves were accessed. And because we’ve only recently reopened our operating rooms post-COVID, we’re in a critical position to continue our scheduled procedures for our patients.
We have a very small IT team and I have to say I couldn’t be more proud of their response to the situation. They shut down our server immediately to avoid any further contamination.
I reached out to our cyber insurance incident response team and the FBI; all of which are critical as we roll out response software, conduct forensic analysis, and continue to negotiate ransoms. I think it’s worth noting that we didn’t pay the ransom.
We spent the next 18 months recovering from the incident.
We have established access to the EHR from within the office via an isolated wireless network and secured BYOD access. We bought as many Chromebooks as we could and asked employees to bring their own devices, and spent the next four months using those devices to rebuild virtual machines and restore application data that was a priority for the business.
We provided office hours to support access to the EHR and deployed a new PAC system within two weeks.
I’m pretty sure this is unheard of, but we’ve put our patients first and that’s what it takes to care for them. We were very creative and utilized every resource we could think of, but at the end of the day, we never stopped caring for our patients, which is what matters.
ask. What is the remedy, and how does Clearwater help OrthoVirginia achieve OCR compliance?
Cagle. We entered into a partnership with OrthoVirginia after the initial incident resumed. Terri [Ripley] knew they needed help building a stronger cybersecurity program and, after reviewing a number of potential vendors, chose Clearwater.
Terri initially asked us for a virtual CISO service, but the more we talked, the more she realized she needed something more holistic and we identified one for her Managed Services Program.
When we helped OrthoVirginia develop a cybersecurity roadmap, tabletop exercise, and comprehensive risk analysis, they received a letter of inquiry and data request from the [Office of Civil Rights], Involved individuals have the right to access patient images temporarily unavailable due to ransomware incidents.
OCR’s investigation is comprehensive because it focuses not only on access requests but also on ransomware incidents. Terri is confident that what happened in OrthoVirginia did not violate any HIPAA rules or constitute a violation of [electronic patient health information] and asked for our help in responding to the letter of inquiry.
Our team has extensive experience with OCR, so we helped Terri clarify the results of the OrthoVirginia forensic investigation, the controls in place at the time of the incident, and the actions taken to respond immediately upon discovery , which enabled them to successfully respond to OCR’s inquiry letters, initial data requests, and subsequent requests for additional information.
ask. Once the remediation plan has been launched, what are the next steps you will take to harden the attack surface of your practice to prevent future incidents?
Ripley. That’s when we called Clearwater. I’m very proud of our small but strong IT team, but it also shows that we need some help to support a stronger strategy.
It’s easy to read headlines about other incidents and think, “But not us.” We want to make sure that if something like this happens again, we can truly say we’ve taken every defense measures to prevent it from happening.
To do this, we subscribe to Clearwater’s ClearAdvantage managed service plan. They help build an integrated program that includes project management and leadership.
Since the incident, we’ve added some key strategies, some small ones like multi-factor authentication and digital identity badges, and some bigger ones like evaluating our Cybersecurity program performance, rigorous risk analysis, technical testing and execution of tabletop exercises. It’s part of a larger strategy to help us do more with our small team.
Q. What advice do you have for providers struggling to implement recommended cyber hygiene practices?
Ripley. I think you have to start with a shared understanding of why.
OrthoVirginia is a physician-owned organization, so implementing cyber hygiene practices can be challenging when it is perceived to slow or impede the delivery of healthcare. If we could go back in time and understand what was at stake and how much a cyber incident would impact our organization, I think we’d have a better consensus on making some of these changes.
Cagle. I agree with Terri and I would add, Effective communication with your board is critical to ensuring security is not only financial resources devoted to cyber hygiene practices, but prioritization as well.
You can do this in a number of ways, from giving your CISO a seat on the next agenda to inviting your cyber insurance partner or your cybersecurity partner Speak at the next board meeting. We do this at Clearwater for our clients because we know how important it is to communicate the risks to business goals and company equity value if the correct strategy and best practices are not in place prior to an event.
There is indeed no medical institution that cannot be targeted, from small to large, from public to private. It doesn’t matter.
ask. How can vendors following these frameworks stay ahead of bad actors in the new wave of attacks, such as phishing, phishing, and QR attacks?
Cagle. Cybercriminals have become more sophisticated in their tactics and techniques for attacking healthcare organizations. Utilizing frameworks and following best cybersecurity practices can help organizations prevent these attacks from succeeding.
Humans are the number one vector of cyber attacks, and phishing/social engineering is the number one threat. It is important to train your employees to trust no one and no one when it comes to digital communications they receive, which now includes voicemails, text messages and phone calls. They need to learn to operate with suspicion of anything they cannot verify as legitimate, including QR codes.
It is also important to test the effectiveness of this training with regular phishing and social engineering exercises, where you send simulated phishing or phishing to see if your employees / How many hits or respond in ways they shouldn’t. This validates the effectiveness of your training and identifies any gaps that need to be filled.
Ripley. I will repeat the importance of this training and testing. This is what I mean when I say it’s easy to think “not us”. We naturally trust the communications we receive, and attackers know it.
They count on their ability to outperform our employees. This is how they get into the network without being detected, giving them time to find vulnerabilities and exploit them.
Teach your staff, doctors, board of directors, consultants and anyone connected to your network that it is dangerous to assume that emails, text messages, voicemails, etc. verify. Double-check the source for links or requests for responses.
Really simple things to protect your organization or make it an easy target.
Andrea Fox is Senior Editor for Healthcare IT News. Email: [email protected] Healthcare IT News is a HIMSS media publication.