Ransomware attack freezes health records access at 110 nursing homes

Happy Thanksgiving: your elder loved one’s life may be at risk.

About 110 nursing homes and acute-care facilities have been crippled by a ransomware attack on their IT provider, Virtual Care Provider Inc. (VCPI), which is based in the US state of Wisconsin and which serves up data hosting, security and access management to nursing homes across the country.

The attack was still ongoing on Monday, when cybersecurity writer Brian Krebs first reported the assault.

Krebs says it involves a ransomware strain called Ryuk, known for being used by a hacking group that calculates how much ransom victimized organizations can pay based on their size and perceived value.

Whoever it was who launched the attack, they got it wrong in this case. VCPI chief executive and owner Karen Christianson told Krebs that her company can’t afford to pay the roughly $14 million Bitcoin ransom that the attackers are demanding. Employees have been asking when they’ll get paid, but the top priority is to wrestle back access to electronic medical records.

The attack affected virtually all of the firm’s core offerings: internet service, email, access to patient records, client billing and phone systems, and even the internal payroll operations that VCPI uses to pay its workforce of nearly 150. Regaining access to electronic health records (EHR) is the top priority because without that access, the lives of the seniors and others who reside in critical-care facilities are at stake.

This is dire, Christianson said:

We’ve got some facilities where the nurses can’t get the drugs updated and the order put in so the drugs can arrive on time. In another case, we have this one small assisted living place that is just a single unit that connects to billing. And if they don’t get their billing into Medicaid by December 5, they close their doors. Seniors that don’t have family to go to are then done. We have a lot of [clients] right now who are like, ‘Just give me my data,’ but we can’t.

As Krebs notes, recent research suggests that death rates from heart attacks spike in the months and years following data breaches or ransomware attacks at healthcare facilities. A report from Vanderbilt University Owen Graduate School of Management posits that it’s not the attacks themselves that lead to the death rate rise, but rather the corrective actions taken by the victimized facilities, which might include penalties, new IT systems, staff training, and revision of policies and procedures.

Ironically, those corrective measures introduce a long, slow learning curve. From the report:

Corrective actions are intended to remedy the deficiencies in privacy and security of protected health information. However, enhanced security measures may introduce usability – which we define as the ease of use – problems. New security procedures typically alter how clinicians access and use clinical information in health information systems and may disrupt the provision of care as providers require additional time to learn and use the new or modified systems.

Ryuk strikes again

The ransomware flavor used against the nursing homes was Ryuk: an especially pernicious variant used not only to prey on our elders, but also on kitties and doggies. This week, we found out that Ryuk was used in a ransomware attack that affected hundreds of veterinary hospitals.

Ryuk has also been used in ransomware attacks against organizations including the city of New Bedford in Massachusetts, the Chicago Tribune, and cloud hosting provider DataResolution.net.

How long has the attack been going on?

Krebs reports that Ryuk was unleashed inside VCPI’s networks around 1:30 a.m. CT on 17 November. It could have been lying in wait for months or years, however, as the intruders mapped out the internal networks and compromised resources and data backup systems in preparation for the ultimate attack.

Christianson said that VCPI will publicly document the attack – “when (and if)” it’s brought under control. For now, it’s focusing on rebuilding systems and informing clients, even in the face of the data kidnappers having seized control of the firm’s phone systems at one point, when it tried to sidestep their damage:

We’re going to make it part of our strategy to share everything we’re going through. But we’re still under attack, and as soon as we can open, we’re going to document everything.

How to protect yourself from ransomware

• Pick strong passwords. And don’t re-use passwords, ever.
• Make regular backups. They could be your last line of defense against a six-figure ransom demand. Be sure to keep them offsite where attackers can’t find them.
• Patch early, patch often. Ransomware like WannaCry and NotPetya relied on unpatched vulnerabilities to spread around the globe.
• Lock down RDP. Criminal gangs exploit weak RDP credentials to launch targeted ransomware attacks. Turn off Remote Desktop Protocol (RDP) if you don’t need it, and use rate limiting, two-factor authentication (2FA) or a virtual private network (VPN) if you do.
• Use anti-ransomware protection. Sophos Intercept X and XG Firewall are designed to work hand in hand to combat ransomware and its effects. Individuals can protect themselves with Sophos Home.

For more advice, please check out our END OF RANSOMWARE page.