A recent ransomware attack has affected roughly 110 nursing homes and acute care facilities in 45 states, cutting caretakers off from patient records.
Virtual Care Provider Inc. (VCPI), a Milwaukee-based IT consulting, security and management service company, first became aware of the attack Nov. 17. In a letter to clients, VCPI said the business was attacked with Ryuk encryption ransomware, which is used to target large software systems, and that it was spread by the TrickBot virus, a malicious program that targets Windows machines.
The company estimated 20% of its servers have been affected by the attack, and that roughly 100 physical servers will need to be rebuilt. VCPI said it is using a virus-specific software application to scan individual Microsoft Windows servers to verify they aren't infected. If the server is infected, the business plans to restore it. The company maintains roughly 80,000 computers and servers for the affected facilities, according to KrebsOnSecurity, which broke the story.
Attackers are demanding $14 million in Bitcoin as ransom for a digital key that VCPI could use to unlock access to its files, a price the company doesn't want to pay, according to KrebsOnSecurity. VCPI CEO and owner Karen Christianson said in an interview with the security news site that the attack affected nearly all of its offerings, including email and internet service, client billing and phone systems, and access to patient records. She said the ongoing attack is keeping care facilities from accessing patient records.
Experts said the incident shows even the best organizations with the best procedures and controls can fall victim to attack, providing a stark warning to healthcare CIOs to educate employees on best cybersecurity practices.
Ransomware's impact on healthcare
Larry Ponemon, founder of data protection research company Ponemon Institute in Traverse City, Mich., described the recent ransomware attack as especially devastating.
"It's very serious because it's not just about losing some data or preventing people from accessing their data," he said. "It's about the ability to provide services that can be life and death."
If a ransom isn't paid to retrieve a digital key to unlock the files, Ponemon said it can take months, or even years, for an affected healthcare organization or business to rebuild its systems after a ransomware attack.
In the letter sent by VCPI, the company said its plan is to rebuild servers and install them into newly created network segments. It is prioritizing servers that provide access to email and EHR applications. The company acknowledged it doesn't know when clients will have access to VCPI systems again and noted that it intends to investigate if the recent ransomware attack has resulted in the acquisition of client data.
"We are working diligently, nonstop, without resource constraint, according to our documented plan, and with experienced expert leadership," the letter stated. "We need to ensure the integrity of the new environment. We are prioritizing critical VCPI infrastructure, including Microsoft Exchange email system, and electronic health record software."
David Chou, vice president and principal analyst for Constellation Research in Cupertino, Calif., said he was struck not by the ransomware attack but by the fact that the victim is a technology company that provides technology services to healthcare organizations.
Chou said the incident highlights the importance of properly educating employees to be aware of the ways attackers will try to infiltrate an organization's systems and to ask questions before opening external emails with potentially malicious attachments. "If you don't, you're going to pay the price," he said.