Another day, another healthcare ransomware attack. Erie County Medical Center and Terrace View long term care in Buffalo, New York have been dealing with a ransomware attack for about 10 days now. On April 9th, a Sunday, the computers got hit by what they are only calling a virus, but according to someone I talked to today, it is, in fact, a ransomware attack. They have not paid the ransom and do not intend to, but from April 9th to the 15th, all systems were down. They hoped to have the patient data part of their systems operational by the 15th at which point they would need to start entering the backlog of patient data and any data that was lost.
According to local media, the email system is also supposed to be up by that time.
After that is complete, they planned on working to restore systems such as payroll.
According to the person I talked to this morning, as of today, they are still working on recovering.
I am sure that they will complete a lessons learned exercise once people get some sleep, but from the outside, a couple of questions are obvious. Their disaster recovery plan seems to be lacking if they are still recovering 10 days later. We don’t know if their business continuity plan is sufficient. They didn’t have to close the hospital, which is good, but what is the impact on patient care and staff workload. Finally, how did this ransomware spread so widely in the organization that it is taking them more that 10 days to recover.
As a side note, the Beazley cyber insurance company says that ransomware attacks that were reported to them quadrupled in 2016 and they expect that to double again in 2017. Half of the attacks were in healthcare.
The FDA is now shifting its focus to medical devices, like the ones from St. Judes, that the FDA slammed the firm over last month.
As if that wasn’t enough to worry about, Health and Human Services Office of Civil Rights levied more fines in 2016 than any other year to organizations that were breached. They announced 12 settlements averaging $2 million in 2016 and three more in the first two months of 2017 PLUS a fourth case that had a fine of $3.2 million.
Some of these cases required the appointment of an external monitor or baby sitter, indicating that OCR didn’t trust those organizations to fix the problems without oversight.
These handful of cases, while significant, represent a fractional percentage of the roughly 17,000 cases a year that are filed with OCR.
In addition, OCR is finishing up a series of desk audits of covered entities and is about to start on auditing business associates.
While it is unclear what will happen under the Trump administration, OCR is funded mainly by the fines they levy, so it may well be the case that things run as they have for the last few years. Stay tuned.
Putting all of this together should be a red flag to anyone in healthcare that they need to get very serious about cyber security. It is not likely to get any better or easier any time soon.