Attackers-2; Indiana Hospitals-0
The healthcare industry has been and continues to be targeted by the attackers in their attempts to compromise systems, exfiltrate data and information, and collect fees from ransomware attacks. A handful of the recent attacks have been phishing oriented, due partially to their previous successes. Hospitals present a great source of sale-able data for the attackers. This includes, but is not limited to, the patient’s medical records with various data points that may be divided and sold separately or bundled into a packet for each patient. This includes the social security numbers, insurance information, home address, phone numbers, the patient’s point of contact, and other information.
Recently Hancock Health had the opportunity to pay $55k arising from a successful ransomware attack. The attack vector here was a phishing attack. On the same day Hancock Health experienced their issue, Adams Memorial Hospital likewise was hit with ransomware. The other attack was successful due to an employee noticing something was not quite right with her system on December 11, 2017. She contacted the help desk and system Admins regarding the issue. Upon further examination, the files read “Sorry” and the network went blank. The ransomware tool used was believed to be a subset of the “Im Sorry” ransomware variant. This worked via appending files with “.imsorry” as they are encrypted. Post-encryption, a text file is placed on the system stating the instructions for paying the ransom.
Due to this, the physicians were not able to access their patient’s history files, or appointment schedules. The scope of the attack was relatively limited with only 60-80 patients affected. As of January 19th Adams Memorial Health had not stated if the ransom had been paid.
This provides a valuable lesson for the Admins and the InfoSec department. The training to avoid such issues is needed and should be continued. This training would assist the staff in recognizing not only phishing emails, but also what to monitor for with other staff emails in the case these would have been compromised.
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.