Details of a Recent Malware Attack Targeted at Healthcare

CynergisTek has heard from several hospitals across the nation of attempted malware attacks.  Last month one incident in particular provided another example of the threat and there were some key things to learn from it. Last month a large hospital began receiving a series of email messages indicative of a malware issue. The email messages were only being sent to system administrators, so the attack was not quickly identified and the email messages were not discovered until nearly six hours later. As a result, the organization’s help desk was added to the email distribution list to get more eyes on future email alerts. A few things to know about the attack:

  • The attack was identified as occurring on February 9 and 11, 2016, and was traced back to two user accounts that had clicked on a malicious link on two virtual desktops. The malicious link was not identified.
  • Two servers were compromised as a result of not having anti-virus installed. The EHR vendor had recommended that anti-virus not be installed to increase performance. The hospital has since decided to go ahead and install anti-virus software which resulted in a 45 second login time. After additional configurations were made, this was reduced to 30 seconds. No complaints have been made from the staff as a result of the increased login time.
  • The hospital had contacted their anti-virus vendor regarding how the ransomware had not been identified by the anti-virus solution. The vendor told them that the variant of the ransomware had changed before they could update their virus definitions.
  • An attempt to encrypt 34,000 files on a file server had taken place. It was determined that the file server folders that were compromised during the attack had incorrect configurations in that the two user accounts had write-access to three folders that they should not have had in place. This was corrected.

Several contributors to this incident include:

  • Insufficient notification protocols were in place. Alerts should be distributed to all key personnel, even the help desk, to have more eyes on the situation. The timeframe from when the attack began to when it was discovered allowed sufficient time for the organization to be compromised.
  • Vendor recommendations are just that – recommendations. At the end of the day, the covered entity is responsible for securing and protecting their ePHI. They should not automatically default to a vendor recommendation but should sufficiently test configurations to decide if that recommendation fits the security goals of the covered entity.
  • Compliance with security policies and ensuring that staff apply the appropriate security measures when assigning user permissions is very important. Auditing user access can help identify inappropriate user permissions.
  • User training and awareness of the latest security threats and how to identify them can help reduce security incidents. In this situation, two users clicked on malicious links. Training on these types of attacks can help users to identify malicious links and reduce the chances of being subject to ransomware attacks.
Download PDF Version


Jeremy Molnar published this blog post on behalf of the author, Ryan Stewart, Compliance Consultant.

March 14th, 2016|

About the Author:

Jeremy Molnar
Jeremy Molnar is vice president of services for CynergisTek, Inc. He is considered a subject matter expert in information security, including architecture and enterprise security assessments, network security, host-based security, intrusion detection, log monitoring and management, risk and vulnerability assessments, penetration testing and analysis, and disaster recovery/business continuity planning.