On December 18, 2022 officials from Toronto’s Hospital for Sick Children (commonly known as Sick Kids), announced the hospital was under a Code Grey – hospital code for system failure – and a few days later on December 22, the hospital confirmed it experienced a cybersecurity incident and later revealed it had been the target of a ransomware attack. This attack affected numerous systems including their website, clinical systems, a portion of their phone lines and the staff payroll system. It contributed to diagnostic and imaging delays for the hospital’s young patients. Fortunately, there is no evidence that patient information has been compromised.
What we know so far.
By Sunday, January 1, over 60% of its “priority systems” had been brought back online, including many that had contributed to diagnostic and treatment delays, and restoration efforts were “progressing well.” While this is good progress, two weeks after the incident was identified, 50% of systems remained affected.
Then, something interesting and unexpected occurred. LockBit, the ransomware group responsible for the attack, posted an apology and provided the decryptor key to unlock the remaining systems…for free. Lockbit has a policy that states that “ransomware operation allows its affiliates to encrypt pharmaceutical companies, dentists, and plastic surgeons. It prohibits its affiliates from encrypting medical institutions where attacks could lead to death.” Since the affiliate violated the policy, it was banned from the group, and the keys were offered to the hospital. Oddly, LockBit has a history of encrypting hospitals and not providing decryptors, as was seen in its attack against the Center Hospitalier Sud Francilien (CHSF) in France, where a $10 million ransom was demanded, and patient data eventually leaked. One can only theorize that attacking a children’s hospital was a step too far.
If it can happen to a large hospital, it can happen to you.
Sick Kids Hospital has not revealed the root cause of the attack but, there are a few possibilities based on what we know about similar incidents:
- They haven’t determined the cause and may never have an answer.
- The attack may have originated via a phishing campaign where a hospital employee clicked on a link in an email, unknowingly sparking the attack process.
While Sick Kids is a large organization, it is important to note that small organizations are not immune to these financially motivated attacks to steal PHI and cause disruption.
- Ransomware attacks occur against organizations of all sizes in all industries. It is only the larger attacks that appear in the news.
- Clinics are a vital part of the healthcare ecosystem, and attackers know that clinic systems can be an easy entry point to the overall ecosystem.
- With limited resources and immature practices, clinic operators must understand that smaller healthcare clinics are an easier target to obtain valuable PHI and disrupt patient care.
What can small clinics do if well-resourced hospitals can’t protect their environment?
Ultimately, the expectation is that all organizations do their part to protect patient services and information against a common threat. Clinic operators must take the threat seriously and implement fundamental cybersecurity practices designed to reduce risk and protect their business.
Start with the basics:
- Regular cybersecurity awareness training empowers employees to identify suspicious activity better and creates a security-conscious culture.
- Sound password policies and 2-factor authentication can dramatically reduce the opportunity for hackers to gain unauthorized access to critical systems and the data contained within.
- A process to ensure that all computers are patched/updated regularly can prevent attackers from gaining access to critical systems via weaknesses within the applications we use every day.
- Deploy a next-generation endpoint protection product on all computers to detect and protect against known and zero-day malware.
Hackers are efficient! Indicators show their philosophy of spending the least time targeting ‘the lowest hanging fruit.’ A phishing campaign can deliver a well-crafted email into the inbox of thousands of untrained, unsuspecting people. Will someone click? Does that organization have cybersecurity defenses? Clinic operators are responsible for protecting their employees, data, and business from imminent threats.
For more information on strategies, you can implement today to protect your clinic and patient information from cyber-attacks, download our free whitepaper, Secure Your Practice.