By Greg Slabodkin
In April 2017, the Erie County Medical Center was the victim of a ransomware attack that was so devastating it took six weeks for ECMC to return all of its information systems to operation. Reg Harnish, CEO of GreyCastle Security, a firm hired to manage the hospital’s response to the incident, claims that it was the largest recorded ransomware attack in U.S. history.
Hackers use ransomware to look for web server vulnerabilities in order to infiltrate networks and then install malicious code on computers that encrypts files, holding the data hostage in return for payment. A ransomware variant called SamSam infected 6,000 of ECMC’s computers whose hard drives had to be cleaned as part of the medical center’s restoration work.
ECMC didn’t pay the ransom demanded by hackers and eventually recovered from the assault on its computer systems, insisting that medical records were not compromised and patient safety was never at risk. However, had the hospital patched a simple computer vulnerability, the organization could have prevented the damaging cyberattack that ended up costing ECMC more than $10 million to fix.
“It was a single technical vulnerability,” said Harnish. “It was a very common but very simple vulnerability – by simple, I mean one that is easily addressed and fixed. It just wasn’t done.”
A year before the hospital fell victim to SamSam, the same form of ransomware in March 2016 disabled Maryland-based MedStar Health’s computer systems, denying the health care organization access to email and electronic health records at hospitals in the Washington, D.C., area for nearly two weeks.
In response to that incident and other attacks, networking company Cisco issued a report in mid-2016 warning that ransomware campaigns against organizations in the health care industry are a “strong reminder that adversaries, when given time to operate, will find new ways to compromise networks and users – including exploiting old vulnerabilities that should have been patched long ago.”
Likewise, the FBI in 2016 also issued an alert about SamSam ransomware being used by cybercriminals to exploit unpatched server vulnerabilities in healthcare.
Nonetheless, Peter Cutler, ECMC’s vice president of communications and external affairs, is dismissive of any fault or negligence on the part of the hospital. “Organizations across the country routinely receive information of cyberattack warnings from entities like the FBI,” Cutler said. “What the ransomware attack at ECMC proved is that every organization has potential vulnerabilities.”
The regrettable part is that the Buffalo hospital allowed an easily addressable technical vulnerability that was widely known to be exploited by hackers. As the old health axiom goes: an ounce of prevention is worth a pound of cure. Unfortunately, it’s a lesson ECMC had to learn the hard way.
Greg Slabodkin, of Niagara Falls, is managing editor of an online health care information technology publication.