GreyCastle's Reg Harnish: Lessons from a Hospital Ransomware Attack

In late July, The Buffalo News reported that upstate New York’s Erie County Medical Center (ECMC) spent nearly $10 million rebuilding vital computer systems following a ransomware attack. Last week at the Philadelphia HIT Summit, Reg Harnish of GreyCastle Security, who worked with the hospital following the attack, gave a blow-by-blow of how such a large ransomware attack developed and what lessons can be learned from it.

Harnish , the CEO of GreyCastle, traced the events back to the well-publicized paralysis of California’s Hollywood Presbyterian Medical Center in February 2016. One of the first hospital ransomware events to draw much public attention, he contrasted it as relatively unsophisticated compared to what happened to ECMC in April of 2017.

The attack encrypted more than 6,000 computers, devices, and servers, taking the hospital system offline for 13 days, with recovery still ongoing. The cost of the attack is in that recovery: Hollywood Presbyterian had about 700 devices compromised by a lower-sophistication attack, paid the roughly $17,000 in bitcoin, and recovered somewhat quickly. ECMC elected not to pay the ransom and instead to build their network back from the ground up.

The ECMC attack became known early on April 9^th, but it was preceded by a week’s worth of wee-hours probing by connections from Brazil, South Africa, and the Netherlands, likely servers in themselves compromised in similar fashion.

“The initial intrusion,” Harnish explained, “was done in an automated fashion. Most of what is available today, ransomware as a service, has become very popular. Anyone in this audience, for about $1500, could take down pretty much any hospital in the country. It looks like Office 365, an excellent user experience, customer support 24/7, and it’s fairly inexpensive. Our adversaries have invested in their business model to the point that they actually provide better service than a lot of the vendors that we use today.”

During the series of connections over the next week, the hackers gained an understanding of the type of network they had stumbled into, increasing their soon-to-be-requested ransom accordingly, and attempted to install a form of malware. They were thwarted by the system’s antivirus software, and spent a few days after apparently creating an altered form of malware that would slip past the guard.

Remote connections continued. Eventually, the bad actors were able to successfully log into the network and delete every online backup file before installing a form of Samsam malware.

“Within 4 hours of 1:55 AM on April 9^th, 6,300 endpoints, clinical workstations, devices, and servers were encrypted,” Harnish continued. “From our perspective, this was one of the most successful, largest, and most impactful ransomware cases we had ever experienced.”

The vast majority of ransomware attacks today, he said, are entirely automated, meaning the hands-on approach taken by the actors against ECMC stood out. There are good steps to take in case of a breach, however.

“When you suspect that there’s been an incident of any kind, it’s important you move to the highest level of awareness and response as quickly as possible,” he said. Communications have to be considered for disseminating information about the incident both internally and externally. From media and regulators, he emphasized, there will be plenty of scrutiny.

The right team needs to be assembled, as well: IT staff alone are not very important to the efforts, Harnish stated, it’s having the decision makers present that matters more. The hospital’s legal team should be present, too.

A lockdown is likely necessary to prevent the propagation of the suspected breach, requiring the disconnection of non-critical assets, the changing of passwords, and potentially the disabling of internet access or freezing of bank accounts.

“Our job, as responders, is to protect our clients, and to help prove that, while there may have been exposure and unauthorized access, according to OCR guidance, there has not been ‘the b word’,” he said, for “breach.” “There’s a lot of additional work that goes into an investigation once that’s been declared.” An attorney fluent in HIPAA and healthcare cybersecurity breach policies could be integral.

“This is about people, cybersecurity and cyber crime are about people. This is not a technology issue,” Harnish said. Later, he underpinned this point more dramatically: “Culture eats technology for breakfast…this is a human problem. We appreciate IT support, but we recognize that can only solve 25% of the issue. This is about building behaviors in an organization.”