peshkov - stock.adobe.com
How An Independent Practice Recovered From a Third-Party Ransomware Attack
A NC-based family physician shares lessons learned after his independent practice was collateral damage in a third-party ransomware attack originating at a cloud provider.
When Ed Bujold, MD, FAAFP, of Granite Falls Family Medical Care Center in North Carolina, found out in October 2021 that his practice had been impacted by a ransomware attack waged against its cloud vendor, he realized that he had three options.
One, close the practice and retire. Two, sell the independent practice that he had been running for nearly 40 years to a large health system.
The third option was to “dig in your heels and do whatever it takes to figure out how to keep the doors open,” Bujold said in an interview with HealthITSecurity.
Bujold chose the third option, electing to work through weeks of uncertainty without access to the practice’s EHR and practice management systems as the cloud provider worked with the FBI and a cybersecurity team to negotiate with the Russian syndicate that was holding its data for ransom.
“There is never a good time for this to happen, but this came on the heels of the COVID pandemic, which exposed primary care practices, particularly those that were independent, to significant financial vulnerability,” Bujold said.
In the months following the attack, Granite Falls Family Medical Care Center worked to re-establish cash flow while having to revert to paper records to keep operations running as smoothly as possible. By March 2022, Granite Falls Family Medical Care Center once again had a fully functioning EHR system.
Rather than keeping the valuable lessons learned throughout this ordeal to himself, Bujold wrote about the ransomware attack and how his practice handled it in a reflection piece published in the Annals of Family Medicine. In an interview with HealthITSecurity, Bujold expanded on his experience and shared details about the people and tools that helped his practice move forward.
What Happened
Bujold operates an independent practice in Granite Falls, North Carolina with nine employees. A typical weekend for Bujold involves logging into the practice’s EHR system to review patient data and schedule follow-up appointments, he wrote in the Annals of Family Medicine article.
But on Sunday, October 31, 2021, Bujold noticed that he was unable to log in to the system. The next day, when Bujold arrived at the clinic, his team noted that the EHR and practice management systems were still not working.
Bujold was soon informed that the practice’s cloud provider had been targeted in a ransomware attack that had impacted dozens of its client organizations. The threat actors were holding data for ransom and demanding $5.1 million from the cloud provider in exchange for an encryption key. The FBI and a cybersecurity team quickly got involved.
“By noon of November 1, 2021, we knew our cloud-based service had an action plan in place, but the CEO had no idea when we would get our system back online,” Bujold wrote.
“Naively, we thought we would have our PM and EHR up and running in a few days. After two weeks, my staff and I realized this was much more serious.”
In the following weeks, Bujold’s team had to ensure that they could still serve patients and run their business effectively while dealing with lots of uncertainty.
“Part of the problem was is that we were collateral damage. It wasn't our practice that got hit, and for the first several weeks, we didn't know how much secure information was out there,” Bujold told HealthITSecurity.
“The cloud service we worked with didn't know either. It was frustrating for them, and it was frustrating for us.”
First, Bujold had to re-establish cash flow, since the practice submitted claims through its practice management system. Thankfully, Bujold was able to get an extended line of credit from the bank, which he never had to use. In addition, the practice was able to submit insurance claims via its claims management system’s encrypted online site.
Next, Bujold's team worked revert to paper records. Thanks to daily point-of-care reports maintained by data extraction company KPN Health (for which Bujold is a senior physician advisor), Bujold’s team was able to access accurate patient information dating back to one day before the ransomware attack.
“There are a lot of practices that don't have that kind of access,” Bujold acknowledged. “We were just very fortunate that I worked for them and we had that software available.”
After three months of negotiations, the cloud provider paid the Russian syndicate $500,000 and received an encryption key. In the aftermath of the ransomware attack, Bujold’s team chose to move to a larger cloud provider. By March 2022, the practice had regained all its lost revenue.
Lessons Learned
“Nothing that we do in the office gets done without input from all the players on the team, and that really helped when we went through this,” Bujold said in the interview.
Bujold credited his team, particularly his practice manager who has been with the practice for 37 years, for enabling the practice to keep going throughout the months of disruptions.
In the Annals of Family Medicine article, Bujold also cited the importance of other partnerships and resources, such as the practice’s legal counsel and certified public account (CPA).
“First and foremost, have a trusted computer consultant to manage your hardware and have them do a cybersecurity check yearly, which should also include a very frank discussion with your staff about potential cybersecurity risks and vulnerabilities in your practice,” Bujold advised. “This consultant is as important as a good CPA and banker for a small practice.”
Bujold also stressed the importance of limiting the number of connected devices on a network and maintaining a strong incident response plan.
“These attacks are starting to affect patient care all over the world. We were able to move back to the paper world quickly and fortunately had a scaled-down paper version of our EHR data available,” Bujold wrote.
“We were lucky. The hundred other practices involved in this attack were not so fortunate. Many small medical practices never recover from a ransomware attack and file for bankruptcy.”
Bujold noted a unique aspect of operating an independent practice that he has learned over the years — you must be comfortable taking on a variety of roles and responsibilities.
“You have to have the medical knowledge, which I think we all have. Then, you have to have business savviness, and that includes managing people and understanding how business interplays with medicine. You also have to have a really good understanding of information technology and how it can help you and how it can hurt you,” Bujold said in the interview.
“If you don't have expertise in all three areas, or if you're not comfortable in one of those areas, hire somebody who is.”
Importance of Sharing Knowledge
Healthcare organizations of all sizes are impacted by ransomware attacks very frequently, whether they are targeted directly or are affected by an attack on a business associate. But beyond the initial news of an attack, it is rare that organizations share their experiences publicly beyond a legally required breach notice, likely due to legal implications or fear of reputational harm.
The Ireland Health Service Executive (HSE) was an outlier when it issued a detailed post-incident review following a May 2021 cyberattack. The ransomware attack was claimed by Conti ransomware and immobilized the country’s health IT systems, incurring hundreds of millions of dollars in recovery costs.
The report went into extreme detail about the nature of the incident and how the HSE recovered. It even identified significant gaps in the HSE’s incident response planning that negatively impacted its recovery process. However, it also served as a useful tool for other organizations looking to strengthen their own security postures and better prepare for ransomware attempts in the future.
Sharing post-incident reviews with peer organizations may be able to help healthcare advance as a sector and learn from one another. Bujold felt compelled to share his own practice’s story in the journal article in hopes that it would help other ransomware victims.
“You hear about healthcare systems getting hacked every day. But you don't hear much about what happened. All you hear is that X hospital has been hacked, X practice has been hacked, and you don't know what happened,” Bujold reasoned.
“I thought it would be worth telling the boots-on-the-ground story and maybe it would be of some benefit to people.”