Breach Bulletin Hospital Cyber Attack

Jacksonville Hospital Acts Fast Enough to Contain Attack

DESCRIPTION

On a January weekend, calls began coming into the helpdesk at Jackson Hospital that ER staff members were unable to connect to the electronic charting system to access patient medical histories. Jackson Hospital is a 100-bed facility located on the panhandle of Florida. Fortunately, the head of the hospital’s IT department, a 25-year veteran, was working on site and determined that the charting software had been taken down as part of a ransomware attack. He then made a swift decision that would end up containing the virus. He ordered all computers and servers to be shut down. That quick decision probably prevented the malware from spreading throughout the entire hospital. Hospital staff subsequently reverted to pen and paper to keep normal operations going, avoiding any disruption to hospital care. Besides the charting software, the ransomware was only able to encrypt a repository of non-critical organizations documents on one other server. IT personnel began bringing systems back online on Tuesday and by Wednesday, everything but the charting system was back online.

IDENTIFY INDICATORS OF COMPROMISE (IOC)

As soon as the ransomware intrusion was confirmed, the team disconnected all computers from the Internet. The hospital’s IT team then reviewed every computer system within the hospital according to a priority list to confirm which systems had been infected with the most critical systems being reviewed first. When encrypted files were discovered on the mentioned data server, an outside cybersecurity consulting firm was brought on to determine if any of the data had been exfiltrated for extortion demands. Systems were brought online only after the team felt certain that there was no presence of malicious code anywhere in the network. The FBI was also brought in and determined that the perpetrators behind the attack were part of a ransomware gang called Mespinoza, also known as PYSA. Mespinoza is one of the few well known ransomware organizations that continues to target healthcare facilities throughout the pandemic. The group has been credited with attacking 190 organizations across the world, mostly in the U.S. and England.

CONTAINMENT (If IoCs are identified)

The saving grace for the Jacksonville hospital was the speed at which the IT team was able to shut everything down. One of the things that made this possible was a well-organized training program. Hospital administration created a set of contingency plans called “downtime procedures” that outlines how the medical staff should function without the aid of electronic equipment or digital resources. Just a month prior to the attack, the hospital held an actual rehearsal in which staff were educated how to respond to an actual ransomware attack. As a result, the hospital’s medical staff was ready to switch to a pen and paper system within minutes of the attack bringing the network down. The quick response to the attack proved the value of sufficient planning and training. Mespinoza is known for exfiltrating data and posting it to the dark web for victims that don’t pay.

PREVENTION

Since successfully containing the attack, the response team has been conducting a thorough security audit of all their systems including their firewall and security controls to determine to determine how the attack was able to take place. They are also taking additional steps to ensure that a similar attack never happens again. The FBI issued an alert concerning the Mespinoza organization in 2021. Some of their recommended mitigations include the following:

  • Implement network segmentation.
  • Implement a recovery plan to maintain and retain multiple copies of sensitive or proprietary data and servers in a physically separate, segmented, secure location (i.e., hard drive, storage device, the cloud).
  • Disable unused remote access/RDP ports and monitor remote access/RDP logs.
  • Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
  • Install updates/patch operating systems, software, and firmware as soon as they are released.
  • Use multifactor authentication (MFA) where possible.
  • Focus on awareness and training. Provide users with training on information security principles and techniques as well as overall emerging cybersecurity risks and vulnerabilities


Ensure your Incident Response Readiness in the event of attack. Review your security and risk profile.