And, they lived happily ever-after?

Early Morning

We've been hacked!

Your phone rings much earlier than you could expect to be awake. The caller ID says the call is from the hospital, so you know something is wrong. You answer to hear that the IT system is down. All of it: EHR, Admissions, Accounting, Lab, Radiology - nothing works. When atempting to open any application, a red message appears, stating: "All of your files are locked" The message makes a demand for bitcoin within 48 hours. After that time the ransom cost doubles. After that, if we fail to pay, they threaten to destroy our system. Any other information on the screen is garbled. What should we do?

You hurry to get there, and when you do, you discover that what you were told on the telephone is exactly what you find. Your realize that your organization is the victim of a ransomware attack. Your first step is to call the police. They inform you that an officer will be there in a few minutes. Then, you send messages to your managment team explaining what has happened and asking them to be in the conference room at 8AM for a meeting about how to respond. You request one of the team members to make a presentation on your "Disaster Recovery Plan" in hope that document will provice a road map for action. You then leave a message for your attorney to ask if she could could attend your 8 AM meeting.

In the time available before the meeting starts, you also call your EHR vendor's support line and explain what has occured. They promise a return call by a support engineer later in the morning.

A police officer arrives before the meeting starts and makes his report. Upon conclusion, he informs you that there isn't anything else he can do.

The first agenda item at the manager's meeting is an explanation of the current state of your IT system and its effect. A brief discussion follows about how much time will elapse before the system can be recovered. Then, the group is led through a review of the Disaster Recovery plan. You silently reflect that the plan seemed a lot more comprehensive when you weren't faced with a disaster, than it seems now. Although there are many similarities in its effect, the plan was primarily concieved as a roadmap for recovery from a natural disaster. In that type of event, it was projected that operations would likely cease because the facility would be unfit for use. There were no ontingencies for events like your face now. It was a serious mistake for us not to recognize that.

The CMO states that new patient admissions should be paused until the system is restored, and that all pending surgical proceedures should be resecheduled in the same way.The CNO cautions that the hospital's current patient population must be analyzed to determine whether or not they should remain in the hospital until they can be discharged normally or whether their condition requires that they be transported to other facilities. A decision is made to conduct those evaluations and proceed accordingly.

The management team is informed that the funds demanded as ransom could deplete the organization's cash assets. Another concern raised was that if the ransom was paid, what is the probability that the encryption keys would be furnished, and would work to unencrypt the data? Would the hackers attempt to extort us again? It was decided to reach out to other organizations who had experienced the same fate to determine what they learned through their experience. Finally, someone proposed that the best course of action might be to use the system backups that had been made regularly to just restore the system to its previous state. Following that, the meeting was adjourned until the next morning when more information would be available.

Day Two and Beyond

Bad News Continues
As day two dawned, the bad news just seemed to multiply. First, as was inevitable, the breach became more widely known, and the hospital's plight was a hot news item, not only locally, but throughout the region. CMS had yet to be notified, as was required under HIPAA regulations, and that would likely trigger a HIPAA audit and a potential penalty in addition to all of their other woes. Patient transfers were beginning and were expected to be completed with the next day or two. Estimates of the time to recovery had been changed from hours and days to weeks and months as it appeared that much of the organization's IT resourses would have to be completely rebuilt. With that realization, plans for temporary layoffs were agreed upon. That decision was made with a realization, that the longer the process of rebuilding the IT system, the less likely it was that it would be possible to retain the former staff. The clinical staff would present the greatest challenge. The worst news was, that an attempt to restore from backup some of the some of the smaller components revealed that the backup system had been destroyed by the hackers making it unlikely that any of their backup files could be recovered.

A number of meeting attendees brought up the costs associated with this disaster, and administrative staff agreed to work on securing an estimate. There was a concensus among the group, that the cost could likely be greater than the organization could bear. Others wondered about the feasability of quietly investigating whether there were merger or acquisition opportunities that could be considered.

The Epilogue

No "and they lived happily everafter" to this story
Although this incident is ficticious, the issues that are described, although incomplete, closely match those from actual ransomware events. The demand for ransom along with the terms for Bitcoin payment were from an actual breach. The destruction of the organization's backup system has been a common occurence for ransomware victims. And, the failure of traditional backup archives either on tape or disk storage is not at all unusual. The most devistating aspect of these events has to be the time required to mitigate them. For the organization to be esentially closed for a period of months creates many repercussions with great challenges. As can easily be surmised when taking everything into consideration, few healthcare organizations could survive intact.