Cybersecurity and hospitals
All is relatively well here at Woesnotgone Meadow, where everyone has above average bandwidth. Occasionally, people in the Meadow are sick. This can be the usual flue or cold, or something more serious as with a broken bone. When these occur, the people soon become patients of the local doctor, locations are not the massive hospitals you see on tv, but are smaller facilities. With these, there are not two or three redundant systems in place, in case one becomes inoperable. If one of the patient care or administrative systems were to not work, there would be a problem. If multiple systems were to be affected, the residents of the Meadow would have a big problem.
Two hospitals had the opportunity to manage this issue. These were located in Wheeling WV and Ohio. They had a total of approximately 340 beds.
Effects
Both hospitals are owned by the Ohio Valley Health Service & Education Corporation. These hospitals were the Ohio Valley Medical Center in Wheeling, WV, and East Ohio Regional Hospital in Martins Ferry, OH. Fortunately, the compromise wasn’t throughout the system. This did, however, affect approximately 30-40 computers of the over 1,300 systems. Granted, this is a lower amount, but still enough for a potent attack if targeted properly. The staff was unable to accept patients from emergency service transports. The patients were diverted to other hospitals ERs. The walk-ins, fortunately, were accepted. Due to the lack of system functionality, the staff was forced to use a paper charting system.
Attack method
The tools used with these types of attacks vary greatly. The specific tools used depend on the target surface and environment. There is not a panacea for the usage. In this case, the hospitals were a victim of a ransomware attack. The hospitals implemented a defense in depth. The attack only breached the first layer and did not compromise the second layer. This attack began on Friday, November 23, 2018, and was to be resolved by Sunday, November 25, 2018. While this timeline is great, there was no update as of Monday morning, November 26, 2018.
There have been many articles on the effect on the services, including using paper charts, and other issues, but not on the “how” question. This could be from a phishing attack, wanton USB being plugged into a system, or other attacks. The remediation was also not addressed. It is difficult to learn from our mistakes when we refuse to provide any data.
Data
The attackers were focused on data or revenue. There is always some form of enrichment directly from the attack. If there were to be some form of an asset to exfiltrate, they would target it. In this case, the targetted data was patient data. Thankfully, none was exfiltrated.
Thanks for visiting Woesnotgone Meadow, where the encryption is strong, and the O/Ss are always using the latest version.
Resources
CISOMAG. (2018, November 27). Ohio hospital suffers ransomware attack. Retrieved from https://www.cisomag.com/ohio-hospital-system-suffers-ransomware-attack/
Conn, A. (2018, November 24). Updated: OVMC/EORH system attacked, progress made in rebuilding. Retrieved from https://wtov9.com/news/local/ovmceorh-system-added-cannot-transport-patients
Dark Reading Staff. (2018, November 26). Ransomware attack forced ohio hospital system to divert ER patients. Retrieved from https://www.darkreading.com/vulnerabilities---threats/ransomware-attack-forced-ohio-hospital-system-to-divert-er-patients-/d/d-id/1333333
Davis, J. (2018, November 26). Weekend ransomware attack interrupts care at 2 ohio hospitals. Retrieved from https://healthitsecurity.com/news/weekend-ransomware-attack-interrupts-care-at-2-ohio-hospitals
Elliott, K. (2018, November 26). Ohio hospitals become latest ransomware victims. Retrieved from https://techtalk.pcpitstop.com/2018/11/26/two-ohio-hospitals-offline/
Goud, N. (2018). West virginia hospitals become a victim of a ransomware attack. Retrieved fromhttps://www.cybersecurity-insiders.com/west-virginia-hospitals-become-a-victim-of-a-ransomware-attack/
Gurubaran, S. (2018, November 27). Ransomware attack hits ohio hospital and the emergency rooms are unable to take patients. Retrieved from https://gbhackers.com/ransomware-attack-hits-ohio-hospital/
Leventhal, R. (2018, November 26). Ohio/wv rnasomware atatck forces some er patients elsewhere. Retrieved from https://healthcare-informatics.com/news-item/cybersecurity/ohiovw-ransomware-attack-forces-some-er-patients-elsewhere
Lyngaas, S. (2018, November 27). Ransomware infects hospitals in ohio, west virginia. Retrieved from https://www.cyberscoop.com/ransomware-infects-hospitals-ohio-west-virginia/
Monica, K. (2018, November 26). Ransomware attack prompts ohio hospitals to enter EHR downtime. Retrieved from https://ehrintelligence.com/news/ransomware-attack-prompts-ohio-hospitals-to-enter-ehr-downtime
Paganini, P. (2018, November 26). Ransomware attack disrupted emergency rooms at ohio hospital system. Retrieved from https://securityaffairs.co/wordpress/78441/breaking-news/ohio-hospital-system-ransomware.html
Spitzer, J. (2018, November 26). Ohio, west virginia hospitals say patient’s information safe after attempted ransomware attack. Retrieved for https://www.beckerhospitalreview.com/cybersecurity/ohio-west-virginia-hospitals-say-patient-information-safe-after-attempted-ransomware-attack.html
The Intelligencer. (2018, November). OVMC, EORH computers attacked by hackers. Retrieved from http://www.theintelligencer.net/news/top-headlines/2018/11/ovmc-eorh-computers-are-attacked-by-hackers/
WTRF. (2018, November 26). OVMC-EORH computer system attacked, no patient information compromised.
WV News. (2018, November 25). Hospitals in wheeling, wv, and ohio impacted by ransomware attack. Retrieved from https://www.wvnews.com/news/hospitals-in-wheeling-wv-and-ohio-impacted-by-ransomware-attack/
About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.