Zffoto - stock.adobe.com

ASPR Warns Ransomware Threat is Persistent, as Actors Leak More Data

Threat actors leak data from a dental insurer and a healthcare provider this week, in the wake of an update from ASPR warning the sector that ransomware continues to be a persistent threat.

The Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response, provided an update on the joint federal alert regarding the imminent wave of ransomware attacks targeting the healthcare sector.

The warning follows the dark web posting of data proofs allegedly stolen from a dental insurer and an orthopedic specialist.

The FBI has been actively investigating an ongoing wave of cyberattacks on the healthcare sector, for which HHS and the Department of Homeland Security Cybersecurity and Infrastructure Agency warned providers in hopes that the sector would quickly ensure the veracity and effectiveness of business continuity plans to minimize potential disruptions to operations.

Sixty-two providers have already been hit with ransomware in 2020, with more than a dozen hospitals and health systems falling victim in the last two months.

According to the ASPR update, CISA, HHS, and the FBI consider the ongoing ransomware threat to be credible and persistent.

“Of note, some recent healthcare sector victims have experienced very short periods of time between initial compromise and activation – even under a few hours,” the agencies warned.

The shortened attack timeframe is vastly different than previous attack methods used against the sector, particularly with double extortion threat actors that often remain on victim’s networks for days and up to months, proliferating across the network through vulnerable connected devices before deploying the ransomware payload.

In light of the shift, the agencies are urging healthcare entities to work toward “enduring and operationally sustainable protections against ransomware threats both now and in the future.”

Combined with Coveware research that determined data is stolen and leveraged for extortion in more than half of ransomware attacks, healthcare providers must take this threat seriously to prevent falling victim.

“In general, maintaining anti-ransomware best practices like the 3-2-1 backup system or conducting regular vulnerability scanning to identify and address vulnerabilities will help protect your organization against future threats from other ransomware operators,” according to the alert.

“Organizations should balance their operational needs with the current threat level and develop processes and postures for normal operating status and higher threat periods,” the alert continued. “The threat from ransomware is ongoing and entities should develop effective deterrent procedures while maintaining effective care delivery.”

Latest Extortion Attempts

Most recently, DoppelPaymer threat actors posted data allegedly stolen from the Reconstructive Orthopedic Center of Houston in an effort to extort money from the provider. Screenshots shared with HealthITSecurity.com show the attackers released more than 12 data sets containing documents they claim to have stolen from the Texas specialist.

Earlier this week, Egregor posted the first portion of data they claim to have stolen from Delta Dental Plans Association.

Egregor is a relatively new variant that appeared in September and has taken the lead in ransomware operations, following the dispersal of Maze hacking efforts. Brett Callow, threat analyst for Emsisoft, previously explained to HealthITSecurity.com that the variant appears to be an offshoot of Sekhmet but far more active.

“Like Sekhmet and multiple other groups, the actors behind Egregor exfiltrate data and use the threat of its release as additional leverage to extort payment,” Callow said. “The group’s claimed victims include Barnes and Noble, Ubisoft, a subsidiary of Berkshire Hathaway, a medical equipment manufacturer and a hospital.”

Ransomware Recovery Updates

Dickinson County HealthCare

Dickinson County Healthcare System has completed its recovery efforts, just shy of one month after a reported ransomware attack was deployed on October 17, according to local news outlet Iron Mountain Daily News.

The Michigan health system operated under EHR downtime procedures in wake of the attack. DCHS worked alongside third-party security and forensics experts to restore systems and functions, as well as to investigate the scope of the incident.

DCHS opted not to provide updates during recovery, while it continued to maintain routine patient care. The health system’s board is scheduled to meet on November 19, which may lead to further insights as to the extent of the ransomware’s impact.

Hendrick Health

Texas-based Hendrick Health System has also recovered its systems just one week after reporting it was operating under EHR downtime procedures following the discovery of a “security threat” on November 9.

The IT networks of the main campus and some clinic offices were shut down after the threat was discovered to both contain the attack and to prevent “lasting damage to the IT system.” According to a November 16 press release, Hendrick Health worked with outside security assistance and law enforcement to assess and contain the threat.

“Since learning about the threat, our team has worked around the clock to resolve the issue and restore the health system’s networks,” officials said in a statement. “In collaboration with industry experts and federal law enforcement, we have completed our due diligence in assessing and containing the threat, and our team has spent the weekend restoring clinical and business systems.”

All hospital and clinic electronic medical records systems have been restored, while the security team is continuing to monitor for similar threats. The health system declined to provide insights into the threat used to penetrate the network, but officials said they’re continuing to analyze the attack and enhance network security.

“Our industry continues to experience an unprecedented amount of network security incidents, and we will continue to leverage partnerships with leading firms to deploy new technology that will further harden our systems and equipment protecting us from similar events,” officials explained.

“While our networks were down, patient care and safety remained our top priority,” they added.

Sonoma Valley Hospital

Unfortunately, at least three providers remain under EHR downtime procedures following ransomware incidents in the last month.

The latest update from Sonoma Valley Hospital on November 13 revealed the provider is still in the recovery stages following a ransomware attack more than a month ago on October 11. As previously reported, data was exfiltrated during the attack and later posted on the Mount Locker ransomware group’s underground market. However, the posting has since been removed.

Sonoma Valley did not pay the hackers’ ransom demand and has been working with law enforcement. Upon discovering the intrusion, the hospital was able to prevent the cybercriminals from completely blocking system access.

The latest update revealed that it appears the attack was limited to some patient testing data, and it appears other patient information and staff financials were not compromised during the security incident.

Patient care continues throughout the hospital, including most patient services like necessary and elective surgeries. Most diagnostics tests are continuing, while the patient portal remains accessible -- though it hasn’t been updated with new data since the attack was launched.

The hospital is currently performing a forensics investigation and the results will be released to impacted patients once officials determine the scope of the breach. Notably, officials said they are working with outside assistance, including the University of California San Francisco, which was hit with a ransomware attack and later extorted by NetWalker hackers in June.

Sky Lakes Medical Center

Sky Lakes Medical Center is also continuing to operate under EHR downtime procedures. The latest report finds officials are expecting a detrimental financial impact following the ransomware attack that struck on October 27, as the entire enterprise system is receiving an upgrade.

The Oregon provider needs to replace 2,000 computers amid its recovery efforts to ensure the hardware is clean and the software is up to date. Officials said they’re also replacing the system used to read diagnostic imaging studies. Notably, Picture Archiving and Communication Systems (PACS) are one the most vulnerable healthcare technologies.

“While we will refuse to pay any extortion, we have cut back on some elective and outpatient services while our systems have been down,” explained Paul Stewart, president and chief executive officer of Sky Lakes. 

“We are also having to spend money on new equipment that we had not anticipated, such as PCs and servers, etc., as well as extra labor expense,” he added. “We cannot yet quantify the total impact, but it will likely be significant. We have some business-interruption insurance but do not anticipate it covering the full impact of the ransomware attack.”

The prime focus for Sky Lakes has been recovering clinical systems and were “coming back online in prioritized sequence now.” Officials said efforts were also focused on radiation therapy at the Sky Lakes Treatment Center, rather than shifting from paper records.

Some of the hospital’s 568 servers were reportedly brought back online, at the time of the latest update. But it appears recovery efforts are continuing more than a month later, with officials calling the attack “very new and very unique, and it’s unlikely there were any anti-virus tools that would have recognized it.”

UVM Health Network

Lastly, the University of Vermont Health Network is also continuing to recover weeks after falling victim to a ransomware attack on October 28. Vermont’s Governor deployed the Army National Guard to assist with recovery efforts on November 4.

The ransomware attack spurred a significant system-wide network outage across at least six of its hospitals, with the UVM Medical Center and patient portal experiencing the biggest impact. The medical records system also went down in the attack, and all UVM sites have been experiencing communication issues throughout the security incident.

The latest update reported that UVM has made steady progress with its recovery efforts. The UVM Medical Center, Central Vermont Medical Center, Porter Medical Center and Champlain Valley Physicians Hospital now have read-only access to the Epic EHR management system, which allows providers to access existing patient records and will improve the efficiency of patient care.

Some scheduled outpatient surgeries are being shifted from one UVM location to another, with hopes that it will minimize disruptions to patient care and that patient schedules can be maintained moving forward.

UVM is still working to recover access to its back-end systems that support patient-facing applications but officials do not know when access will be completely restored. As a result, “patients will continue to experience the impact of the cyberattack for some time.”

Next Steps

Dig Deeper on Cybersecurity strategies