Hospital pays $55,000 ransom; no patient data stolen


GREENFIELD — Hancock Health paid a $55,000 ransom to hackers to regain access to its computer systems, hospital officials said.

Part of the health network had been held hostage since late Thursday, when ransomware locked files including patient medical records.

The hackers targeted more than 1,400 files, the names of every one temporarily changed to “I’m sorry.” They gave the hospital seven days to pay or the files would be permanently encrypted, officials said.

An analysis since the attack confirmed no personal patient information was taken by the hackers, believed to be located in eastern Europe, said Hancock Health CEO Steve Long.

[sc:text-divider text-divider-title=”Story continues below gallery” ]

The affected files were backed up and could have been recovered, but restoring them would take days — maybe even weeks — and would be costly, Long said.

From a business standpoint, paying a small ransom made more sense, he said.

The hacker asked for four bitcoins — a virtual currency used to make anonymous transactions that are nearly impossible to trace. At the time of the transfer, those four bitcoins were valued at about $55,000.

SamSam, the particular type of ransomware responsible, is strategic about its ransom amounts and methods of turning over the money, Long added.

“These folks have an interesting business model. They make it just easy enough (to pay the ransom),” he said. “They price it right.”

Tough decisions

The hackers stayed true to their word, releasing the files early Saturday after retrieving the bitcoins uploaded to the web. By Monday, the hospital’s computers systems were up and running, though Long anticipated there could be some glitches to address in coming days and weeks.

Staff members at the hospital noticed computers were running slower than usual Thursday evening. A short time later, a message flashed on a hospital computer screen, stating parts of the system would remain locked until a ransom was paid.

Hospital leaders later learned the hacker gained access to the system by using the hospital’s remote-access portal, logging in with an outside vendor’s username and password.

The attack was not the result of an employee opening a malware-infected email, a common tactic used to hack computer systems, Long said.

Paying the ransom was no easy decision, Long said.

And hospital leaders said they want to be transparent about the situation knowing otherwise, the public might think the worst.

Long pointed to a recent episode of “Grey’s Anatomy,” a medical television drama in which this very scenario resulted in malfunctioning equipment that put patients’ lives at risk. In the show — which aired in November — the hackers wanted $20 million.

“That’s a TV show — that is not real life,” he said.

There were certainly some similarities — hospital leaders and IT professionals huddled together in a conference room, for example — but much of the show was more dramatic than anything Hancock Health experienced, said Long, who downloaded the episode last weekend and watched it.

No equipment used to treat or diagnose patients was impacted by the attack, Long said. Most patients likely didn’t notice there was a problem, though the hospital’s patient portal — which allows patients to view their medical records online — was down and could have caused an inconvenience, he said.

Recovery mode

Doctors and nurses reverted to pen and paper to keep track of patients’ medical records. Doing so wasn’t difficult, as the hospital regularly practices doing so to stay sharp on those procedures, said Rob Matt, senior vice president and chief strategy and innovation officer for Hancock Health.

Hospital leaders paid the ransom around 2 a.m. Saturday. Then they waited. About two hours later, their files had been returned, Long said.

Like many large companies, the hospital has cyber insurance to provide coverage in instances such as this, Long said.

Midday Saturday, the hospital’s network servers were up and running, WiFi was enabled, and IT staff members were inspecting each of the files to ensure they weren’t infected with any other malware.

By Sunday evening, Hancock Health’s electronic medical record system was fully functional again for the first time since Thursday.

“We’re in the clear in terms of the intrusion,” Long said. “Now, we’re in recovery mode.”

Expert advice

Hancock Health officials enlisted the help of Pondurance LLC, an Indianapolis-based cyber security company that specializes in threat management, as well as the FBI.

Chris Bavender, a spokeswoman for the FBI’s Indianapolis field office, declined to comment on the situation, citing the agency’s ongoing investigation into the attack at Hancock Health.

A general statement on ransomware attacks posted on the FBI’s website states the agency “does not support paying a ransom to the adversary.”

Despite the warning, the FBI leaves it up to companies to make the final decision on whether to hand over the money.

“While the FBI does not support paying a ransom, there is an understanding that when businesses are faced with an inability to function, executives will evaluate all options to protect their shareholders, employees and customers,” the statement reads.

Long said the weather conditions and flu season made it ever more pressing the hospital be able to return to normal operations.

FBI officials, who had been in contact with the hospital by phone, did not make a recommendation on whether the hospital should pay, Long said.

Increased security

Since regaining control of the computer systems, hospital leaders have asked employees to reset their passwords and implemented software that detects patterns that might indicate a similar attack is about happen — before hackers gain entry.

But Long said he knows there’s no way to fully protect the hospital from falling victim to a cyber attack again. The hackers got hold of an authorized username and password, and with that information, there’s little companies can do to prevent intrusions, he said.

“Do I think it can happen again? Sure I do,” Long said. “It can happen to anyone.”

Staff writer Caitlin VanOverberghe contributed to this report.

[sc:pullout-title pullout-title=”Cyber Enemy” ][sc:pullout-text-begin]

While many hackers use phishing techniques — posing as a legitimate company or source the user recognizes — to break into a computer, SamSam ransomware requires no human interaction.

The program targets vulnerable servers, particularly within the healthcare industry, according to the federal Department of Homeland Security’s computer emergency readiness team. Once it breaches a computer system, SamSam spreads across a server, quickly gaining control of multiple devices.

In early 2016, cyberattacks on several hospitals across the globe prompted the Department of Homeland Security and FBI to release a warning about SamSam and how to protect against it.

In the 2016 attacks, SamSam targeted healthcare facilities using an outdated website content management system. Once the program gained entry to the facilities’ servers, it spread malware across each network and charged various amounts of Bitcoin in exchange for the decryption codes, according to the FBI.

Source: FBI, Department of Homeland Security