by Marti Arvin and John Nye
Petya, or NotPetya as some call it, has shown itself to either be very poorly thought out ransomware, or more likely a full on destructive malware attack thinly veiled as ransomware. In essence, a “traditional” ransomware threats will encrypt specific important file types and show the user a ransom note telling them to pay or lose their data. In the last week of June, we saw something stranger, on the surface it appeared to be a modified version of a known and fairly common ransomware variant called Petya, hence the NotPetya name. However, unlike standard ransomware, where the entire purpose of it is to make money, the ransom payment and recovery mechanisms built into this new Petya variant were very weak. It relied on a single email address (that was promptly shut down) and a single Bitcoin wallet meaning there was virtually no way for the criminals to know who had paid, or which key might be the right one to unlock the data.
Once this was evident to the security research community it was time for them to look closer at this NotPetya. Now it is known that the malware actually encrypts the entire drive including the Master Boot Record (MBR) which makes the system quite unstable and likely not recoverable at all. In the case of this particular threat there is little that can be done except to contain an infection, eliminate the infected systems (e.g. wipe them) and restore from backup. In this case the offline data backups will be the most important part to regain access to data. After an infection, it is also important to find out how any systems in the network were infected and make sure the vulnerability that led to the incident is remediated.
Would your organization be prepared for a NotPetya attack?
The increased frequency of cyberattacks on healthcare organizations and their vendors should be of great concern. This is a risk area that has always been there but not as prominent as in today’s environment. Since Petya or NotPetya essentially destroys all of the data on the device it infects, data back-up, disaster recovery and contingency operation plans are now more important than ever. It is not uncommon for these components of an organization’s information security planning to be overlooked, ignored and/or never updated from the original documents. If the document was created in 2005 when the HIPAA security Rule was made enforceable and not updated since it is likely not meaningful in the current security threat environment. These are areas that should be assessed on a regular basis to assure back-ups are created as planned and the information can be recovered from them. The frequency of back-ups should be assessed, particularly for mission critical systems.
Holding drills of contingency operations and disaster recovery is another critical step. If your organization lost the data on a critical system, even for a day, how would that impact operations? Do staff know what the next steps are? You may need additional staffing resources during the contingency operations. Those staff resources maybe in the clinical area as well as other places like Information Technology. The IT staff will be dealing with the incident but will also need to deal with the needs of clinical and other operational staff. If a failover system exists but additional clinical staff need emergency provisions how will that be handled? Lack of a strong contingency operations and disaster recovery plan can make an already bad situation worse. Lack of timely back-ups could mean increased risk to your patients because critical data is not available to the clinical staff to make healthcare decisions for patients. If staff has become dependent on the electronic system are there alternatives when they have to revert to paper? For example, clinicians may depend on the electronic system to calculate how many milligrams/kilogram is the appropriate dosage for a pediatric patient weight 42 pounds, if the electronic system is unavailable can they calculate the correct dosage?
Not just you but your business associate also.
In addition to this being an issue for the systems controlled directly by the healthcare organization, these should also be issues addressed with vendors. If a vendor who performs a significant portion of the entities billing becomes incapacitated for days because of the destruction of data by either a hacker or some other disaster that could have a substantial impact on the cash flow of the organization.
Planning and preparation for the complete loss of a data system always seemed like a good idea but in today’s environment the importance of these steps cannot be emphasized enough. Health care entities need to assure they are prepared and that vendors, particularly those that hold original data for critical systems have appropriate plans and well-tested processes in place.