The Silver Lining In Your Cloud TM

Marin Healthcare Proves That Ransomware Can Hit Nearly Anyone

No organization, large or small, is safe from cybercrime.

This is a lesson that was driven home for Marin Healthcare District (MHD) in July of this year when, as noted in an article, “one of its key vendors, Marin Medical Practices Concepts, Inc., [MMPC] experienced a ransomware infection.”

While details about this ransomware strike are scarce, here are a few things that we do know:

1: MHD Reports That No Patient Data was Accessed or Stolen

When Marin Healthcare’s systems were hit with the ransomware, the company deployed a third-party forensic firm to investigate the incident.

According to a press release published by MHD, the firm found “no evidence that patient personal, financial, or health information was accessed, viewed, or transferred.”

So, while the hacker or hackers behind the attack managed to get ransomware onto Marin Healthcare District’s systems, they didn’t gain direct access to Marin’s systems.

2: There was Data Loss as a Result of the Attack

Unfortunately, while no data was stolen, there was some data loss as a result of the attack. As revealed in MHD’s press release, “during the restoration process one of MMPC’s backup systems failed, causing information to be lost that was collected at the district’s nine medical care centers between July 11, 2016 and July 26, 2016.”

For a medical practice, 15 days of missing data for vital signs, clinical history, physical exams, and doctor/patient communications is an enormous loss, as that information can be vital for treatment.

What the specific cause of the failure was is still unknown at this time, but it does help to highlight the need to ensure that remote data backups are protected from viruses and that single points of failure are eliminated in any disaster recovery (DR) solution.

3: MHD Paid a Ransom for the Return of Data

According to the article cited earlier, “Marin Healthcare and Marin Medical Practices did pay an undisclosed ransom to have the cyberthieves unlock the data files.”

The timeline of events is not clear—so we don’t know if MHD did this before or after the failure of their backup system. If the payment came before the backup failure, this could indicate that the ransom payment did not result in the return of data.

This highlights one of the biggest risks of giving in to a ransom demand for business data—the fact that once paid, criminals may not honor their end of the bargain. An extortionist may continue to hold onto the ransomware decryption key for a bigger payout. Or, criminals may leave the ransomware on the victim’s systems to be triggered all over again at a later date.

If the ransom payment came after the failure of the backup system, then the hackers attacking MHD might not have profited at all—if only the backup and restore system had worked as intended.

4: MHD Notified the FBI and the U.S. Department of Health and Human Services (HHS)

Per HIPAA regulatory requirements, MHD notified regulatory agencies of the breach incident and the effect on their systems.

While the investigation is still underway, MHD isn’t discussing the particulars about what measures are being taken to hunt down the thieves and protect against future attacks.

Lessons Learned

This soon after MHD’s press release concerning the ransomware attack, there still isn’t much detail about who the attackers were, what the ransom demand was, how the ransomware got uploaded, or why MHD’s backup system failed them.

However, there are a few important lessons that we can glean from the aftermath of this attack:

  1. Every Business is a Target, and No One is 100% Safe. Marin Healthcare is neither a massive company nor a small one; but it was a target all the same. No business is too small to be attacked, and no company is large enough to be completely immune. This is why every business needs to practice strict cyber security.
  2. Data Breaches Aren’t the Only Concern Businesses Have. Although no data was actually stolen in this attack, MHD’s operations were still sorely affected. The loss of data was an inconvenience for many patients who went to Marin Healthcare District-owned practices over the course of two weeks—which may end up costing the provider later on.
  3. Disaster Recovery NEEDS to be Tested. While the cause of the failure is unknown at this time, the simple fact of the matter is that MHD’s DR solution failed when they most needed it. Every DR solution should be routinely tested to make sure it will work when you need it—including checks for single points of failure and antivirus/malware protection.
  4. Paying a Ransom Doesn’t Guarantee Data Will Be Returned. Before surrendering to the demands of a criminal, businesses should investigate every other option first. There’s simply no guarantee that paying a ransom will result in the return of your data—or that the thief won’t simply re-encrypt your data again with a different key later.

Incidents such as the Marin Healthcare ransomware attack are all too common for modern businesses. However, there are ways for businesses to guard against these attacks.

Learn how you can protect your business with a secure cloud from today including HIPAA, PCI, Contingency Planning and Disaster Recovery services!