Three Lessons From a Hospital Under Ransomware Siege

Poyner Spruill LLP
Contact

Poyner Spruill LLP

Missouri’s Cass Regional Medical Center (CRMC) was recently hit with a ransomware attack. Existing patients continued to receive care, but incoming trauma and stroke patients were diverted to other facilities. The hospital was forced to shut down its electronic health record (EHR) systems.

The hospital stated that patient information had not been compromised during the episode. It explained that it had had an incident response protocol in place prior to the incident, and activated it within minutes of the attack. Mysteriously, the mechanism of the attack remains unknown. CRMC brought in a cyber forensics firm and contacted law enforcement to assist with the recovery process.

The incident is a vivid reminder that ransomware threats remain a persistent threat in the healthcare sector. Electronic health records are both vulnerable and valuable, which make them the ideal target of opportunity.

However, in minimizing the damage for what could have been a catastrophic incident, it reinforces the value of cybersecurity fundamentals such as:

  • Having an incident response plan in place. The existence of the plan enabled the hospital to transition seamlessly from routine operations to crisis footing, enabling medical staff to focus on health care, while leaving management and technical personnel to address the ransomware issue.
  • Prompt Action. CRMC’s decision to shut down the electronic health record system averted regulatory disaster. Unauthorized access to patient data constitutes a HIPAA breach. The hospital’s prompt action in shutting down the EHR system not only prevented an egregious leak of highly sensitive data, but staved off possible OCR action.
  • Recovery Timeframe: notwithstanding the textbook response, forensic and protection efforts necessitated the gradual resumption of computer operations. The lesson is evident: even the best plans, well executed, may entail the loss of functionality for a time. The availability of manual backups, or alternative mechanisms, is therefore indispensable.

The CRMC episode illustrates that ransomware continues to pose a significant threat to health care institutions. Their vulnerability is compounded by the extensive use of electronic data systems in the healthcare sector. But it also demonstrates that instituting basic breach-response procedures significantly ameliorate the effects of an attack. With ransomware, an ounce of prevention is worth a pound of cure.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Poyner Spruill LLP | Attorney Advertising

Written by:

Poyner Spruill LLP
Contact
more
less

Poyner Spruill LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide