Texas’ last independent nonprofit medical center is struggling to bring itself back online two weeks after a ransomware attack involving cybercriminals who want a payoff in the tens of millions of dollars.
The incident, discovered on Sept. 1, forced OakBend Medical Center to limit communications with the outside world by yanking offline its email and phone systems, spokesman Ivan Shulman tells Information Security Media Group. ISMG contacted him on his cellphone.
OakBend Medical Center, which has three hospitals, 274 beds and 450 staff physicians in the Greater Houston region, has continued to accept ambulances and provide care.
“We’ve been hit with hurricane after hurricane in the past, and we’re treating this like a natural disaster,” Shulman says.
After discovering the incident, the medical center contacted the FBI, which is working with Fort Bend County, Texas’ cyber unit in the investigation.
Ransomware group Daixin claims responsibility for the encryption attack and also alleges to have stolen patient and employee data in the incident.
Blog site Databreaches.net reports it previewed a file list purportedly stolen from the hospital system showing 258 directories containing 6,051 files. Daixin actors say they exfiltrated about 3.5 gigabytes of data, including 1.2 million records containing patient and employee data.
“They claim to have stolen data. They’ve demanded tens of millions of dollars. But we’re a nonprofit safety net hospital,” Schulman says.
Daixin earlier in the week threatened on its dark web site that it plans a “full leak” of the OakBend data “soon.”
OakBend on Thursday posted an updated statement on its website about the incident, saying cyber experts investigating the incident have confirmed that sensitive information was breached within the medical center’s IT infrastructure.
As of Wednesday, OakBend had been able to get its phone system back in service, but voicemail capabilities are still not functional. Email appears to have been restored.
While patient care systems remained secure, all the medical center’s applications were taken offline as OakBend and an army of experts from vendors including Microsoft and Dell helped restore OakBend’s IT operations, he says.
“We’ve got dozens of software programs that are being scanned and cleared to run upon being restored from clean backups,” he says, adding, “these all need to be installed and interconnected, one by one.”
“We’re rebuilding our systems from the ground up.”
In the meantime, OakBend clinicians have resorted to handling work manually. Some of the older staff were able to shift back to paper processes without a lot of difficulty, but the change was more challenging for younger workers who have always relied on technology to do their jobs.
Senior doctors’ “handwriting is worse than ever,” Schulman quips.
While communication systems aren’t a typical target for most ransomware attacks, these systems often end up being collateral damage.
“Phone systems typically have back-end server infrastructure that can be susceptible to ransomware attack. Incident response plans must call out contingencies for communication system failures such as voice and email systems,” says Keith Fricke, principle consultant at privacy and security consultancy tw-Security.
Organizations typically focus on protecting the most likely ransomware targets, such as file servers, electronic medical records and other critical clinical and business applications, Fricke says.
As such, incident response plans often revolve around those systems and applications, sometimes forgetting about the “utility” systems such as email and voice systems, he says.
“Organizations sometime assume email and phones will always be available, just as we expect power to be available at an outlet when we plug an appliance into it.”
The prevalence of mobile telephones makes this issue potentially less concerning while a health system or medical practice’s phones are down, says regulatory attorney Brad Rostolsky of the law firm Reed Smith.
In the meantime, attacks on the healthcare sector are showing no signs of slowing, says Brett Callow, threat analyst at security firm Emsisoft.
“All providers can really do is bolster their security – by patching, using phishing-resistant multifactor authentication, etc. – while also putting plans in place to deal with any incidents that do occur in order to minimize the impact on patient care.”