Lessons from a ransomware attack: How one healthcare CIO helped her company recover

/in


In the early-morning hours of Feb. 25, 2021, Terri Ripley got the call every chief information officer dreads: Her company, OrthoVirginia Inc., had been hit by a massive attack of the Ryuk ransomware that had shut down its entire computing fabric.

Although it would be 18 months before systems were fully restored, OrthoVirginia never shut down operations or abandoned patients. What it learned during the crisis is a lesson for any organization that might become an attack target. Today, that’s everyone.

Speaking at the Healthcare Information and Management Systems Society Inc.’s Healthcare Cybersecurity Forum in Boston this week, Ripley gave a blow-by-blow description of the events immediately following the attack, the critical choices that were made and how the company is insulating itself from future incidents.

OrthoVirginia is Virginia’s largest provider of orthopedic medicine and therapy, encompassing 105 orthopedic surgeons spread across the state. Its 25-person information technology organization had put cyber protections in place before the attack hit, but the pandemic was a curveball they didn’t anticipate.

“When COVID hit and we sent everybody home, some of those protections were not in place,” she said. “We put a lot of good measures in place, but we still got hit.”

System-wide shutdown

The attack took down servers, workstations, network storage and backups, but fortunately not electronic health records, which were hosted offsite. It encrypted the picture archiving and communication system that contains the X-rays vital to orthopedic surgery. The application and database needed to view the images were also hit and the internet protocol phones went down.

To make matters worse, OrthoVirginia’s chief cybersecurity expert was on vacation at the time. Knowing that ransomware attacks can be unpredictable, “we made the decision to shut everything down,” Ripley said. “That stopped the script from running so we were able to save the data files.”

Forensics would later determine that the attack was triggered by a remote worker clicking on a malicious link. The attackers were able to compromise the system administration password, tunnel through the…

Source…