The Ambulatory Surgical Center at St. Mary Medical Center, located in Langhorne, PA, recently announced that they’d been the target of a ransomware attack. To those new to this type of digital threat, such an attack usually involves hackers gaining access to a network’s information, and either locking out the owners and preventing access, or threatening to share the information with others. Once it’s too late for preventative measures, often the only way to keep this from happening is to pay the hackers their bounty and begin picking up the pieces.
In this instance, the Medical Center staff sounded the alarm that they were unable to access the network, and the IT team confirmed that an intrusion had taken place. The major threat facing the team was restoring access to the network, as the hospital’s stolen files were encrypted and of no use to the hackers as they were. Fortunately, the St. Mary’s team regularly backed up their documents and were able to restore the network’s impacted files without giving into the hackers’ demands.
What could have been a hugely costly event in both dollars and reputation was mitigated by the hospital’s ability to prepare for, identify and respond to a threat. But the event couldn’t be merely swept under the rug, as the Office for Civil Rights within the Department of Health and Human Services requires a written notification be sent to all patients when a healthcare center is targeted in a ransomware attack, regardless of the outcome.
In accordance with the rules, the Ambulatory Surgical Center sent out notifications to all 13,000 patients that an attempt had been made to access their personal health information. In addition to keeping affected patients abreast of the developments, they also offered a credit monitoring service to help individuals keep tabs on the potential use of their personal information.
While some cyberthieves go after individuals, the targets offering a bigger payday are typically the bigger organizations with more data at hand and a more complicated infrastructure. Given the value of this volume of information, many hackers will leave behind malware that can cause additional damage such as allowing re-entry at a later date. To prevent this, HIPAA requires a full risk assessment be performed to determine whether a security risk still remains.
While the Ambulatory Center is still conducting this internal audit, the fact remains that they not only dodged a bullet with their preparation, but were able to portray the event in the best possible public relations light, despite the intrusion.
Based on research conducted by Kaspersky’s Lab, the Ambulatory Center at St. Mary is hardly alone in this phenomenon, as more than 700,000 such attacks were recorded the past year. As the number only continues to rise, businesses and non-profits of all shapes and sizes would be wise to start exploring the proper precautionary measures to create a contingency plan to handle a threat when it arises.
Fill In The Form Below for industry news, and information about our services, events, webinars and more.