EXECUTIVE SUMMARY:

Over the weekend, in Romania, 25 hospitals experienced data encryption due to a ransomware attack. The attack started with a children’s hospital, and progressed to regional treatment centers, and cancer patient facilities.

As a precautionary measure, upon learning of the attack, 75 Romanian healthcare facilities preemptively took systems offline.

The country’s centralized care and data system, the Hipocrate Information System (HIS), also experienced disruption.

Systems offline

On Monday, one hospital recorded 180 patient admissions on paper.

“…we did continuous admission records on paper, day admission records on paper, we wrote medical test recommendations on paper. Everything is done on paper, just as we did years ago,” stated Regional Institute of Oncology Manager, Mirela Grosu.

Incident response

All affected servers have been shut down. In some hospitals, the internet has also been disabled in an effort to prevent data loss.

Most of the hospitals have recent backups of their data, enabling efficient restoration of systems. However, at one facility, the backup does not include the last 12 days of data.

Experts from the National Cyber Security Directorate and others are in the process of investigating the attack. Paths to recovery are being assessed.

More information

The ransom demand for full-system restoration is roughly €157,000 per hospital. Victims have been advised against contacting the attackers and paying the ransom.

All hospitals have received instructions explaining that they should: Isolate systems, save ransom notes and system logs, investigate the logs to identify the point of entry, keep the impacted systems “on” to preserve evidence from memory, if possible, inform relevant parties about the incident, restore from backups where possible, and ensure that operating systems are up-to-date.

Healthcare ransomware prevention

Although not always the case, many instances of ransomware and the subsequent system fallout can be prevented. If you work for a healthcare facility, read through the following ransomware prevention tips:

• Cyber security starts at the top. Executives and the board need to view cyber security as an organizational risk, not just an isolated cyber ecosystem issue. When cyber security has top management buy-in, it’s prioritized and systems are better protected than otherwise.
• Mandate multi-factor authentication (MFA). Although multi-factor authentication does force staff to spend an extra few seconds logging into systems, MFA is known as a highly effective way to prevent credential-based attacks.When MFA has been implemented, hackers can’t steal credentials and then immediately gain access to networks and data.
• Create a culture of cyber security. Ensure that your organization provides ongoing employee training. A strong cyber security posture hinges on employees having a certain baseline level of cyber security knowledge.
  
• Leverage advanced cyber security software. Implement anti-ransomware technology, which is sometimes deployed as part of an endpoint security solution, to avoid security breaches and data compromise. Ensure that email clients have adequate protection. Although many email services have built-in security, organizations may need additional solutions to protect against modern cyber threats.
• Backups. Consider applying the 3-2-1 backup strategy, where three copies of the data are made. Two are stored on different types of storage media. One copy of the data is sent off-site.
• Emergency recovery plans. Your emergency recovery plans should clearly detail steps to take in the event of a breach. As a cyber security leader, if unsure as to whether or not you have the best strategic plan possible in-place, consult with industry experts.