Nobody likes to admit to a breach – but when the breach involves ransomware it cannot be denied for long. Visitors cannot access public-facing systems and they they start to ask questions. This is what happened at DeKalb Health, an Auburn, Indiana-based hospital.
“Viewers, have been telling NewsChannel 15 for the last week that DeKalb Health fell victim to this,” reported Wane.com yesterday. “We visited them Monday to see if it was true. Then a DeKalb Health spokesperson issued this statement: ‘DeKalb Health recently experienced a temporary disruption in the operation of our administrative computer system due to ransomware…'”
The statement makes no mention of any ransom demand, nor any indication on whether a ransom was paid or not. The inference, however, is that no ransom was paid. Without confirmation from DeKalb this remains conjecture. A recent warning the FBI comments, “The FBI doesn’t support paying a ransom in response to a ransomware attack. Said [FBI Cyber Division Assistant Director James Trainor], “Paying a ransom doesn’t guarantee an organization that it will get its data back – we’ve seen cases where organizations never got a decryption key after having paid the ransom.”
Health facilities have been particularly targeted by ransomware in recent months. Perhaps the highest profile attack was against Hollywood Presbyterian Medical Center, based in Los Angeles, where the hospital paid the ransom (reported to have been $17,000). “The quickest and most efficient way to restore our systems and administrative functions,” commented the hospital’s CEO Allen Stefanek, “was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
Government advice remains that ransoms should not be paid, although there is recognition that each facility has to decide for itself. In conversation with SecurityWeek, Symantec director of product management for security response Kevin Haley recently commented, “My opinion is that when the hospital in California came out and publicly paid a large ransom – well, pretty soon hospitals all over the world were being attacked. There’s a definite repercussion to paying; even beyond making these guys rich and funding their next attack.”
At DeKalb, it appears as if the facility neither paid the ransom nor experienced any catastrophic loss of functionality. There is a lesson here on the value of efficient business continuity planning to cope with ransomware. “In order to best serve and protect our patients, we immediately implemented our standard down time operating procedures designed to ensure the best possible patient care,” says the statement. “In select cases last week, patients were transferred to another hospital and EMS was rerouted to another facility to ensure all of the patients’ medical needs could be met. All patients received excellent care and the highest-caliber treatment.”
Recovery, however, is still not complete. Many, but not all administrative systems are back in operation.
The matter is now in the hands of “a leading third party forensics firm.” DeKalb says it will release no further information until the investigation is complete, and it can be sure that the information it gives is accurate. At that point we may learn which malware variant was used, how it got into the networks, how it was contained, and whether a ransom was actually paid.