What One Hospital Learned From a Ransomware Attack
A vendor portal left an Indiana health system vulnerable to a cyberattack. Its CEO decided to pay the cyberattack ransom. Here's why, and what he wants other leaders to know.
It's breach season.
That's what Ron Pelletier, founding partner of Pondurance, a cybersecurity company based in Indianapolis, calls February through April. Partly, that's because it's also tax season, when a lot of financial information is being sent and received via the internet. Bad actors often spend the latter part of the previous year "weaponizing" their tools and doing reconnaissance. Then they look for vulnerabilities.
For Hancock Health in Greenfield, Indiana, just outside Indianapolis, breach season started a little early. About 9:30 p.m. on the night of January 11, Steve Long, its president and CEO, got a call from the health system's IT staff, telling him a computer in the lab was infected with ransomware. In an abundance of caution, the IT staff had turned everything off that was connected to the internet.
They were too late.
The attack from a criminal syndicate in Eastern Europe was initiated through the emergency backup facility used by the 71-staffed-bed hospital many miles away, and it had infected many, if not all its servers. The SamSam ransomware did not affect patient life-support systems.
Unlike ransomware programs that depend on phishing tactics to trick employees to open an infected email, the SamSam attack is more sophisticated. The criminals found a vulnerable port set up by one of the hospital's vendors, then located a password to gain entry into the system, Long says. They infected data files associated with the hospitals' most critical information systems.
"It was a port you had to log into but it was exposed to the internet," Long says.
Long hopes by sharing his story that other healthcare organizations will avoid the disruptions that Hancock Regional experienced. He's even written a publicly accessible blog about it.
From a forensics investigation done later, it appears the criminals made attempts at a "brute force" attack, in which they ran through tens of thousands of potential password combinations to gain entry.
"That did not work, but at some point, they found a login and password from a vendor who was working with our IT systems," says Long. "We probably will never know exactly how they got a login and password. We're told all the time we should be prepared for such things. We had hired a company that was supposed to track this, and had anti-malware and antivirus software we thought was good."