According to the study, about half of ransomware attacks resulted in disruptions in healthcare delivery in major hospitals and healthcare systems. JAMA study published earlier this year.

But at smaller and medium-sized providers, often with tighter security budgets and fewer recovery resources, such attacks can be much more than devastating—and can disrupt service processes for days or even weeks.

Two years ago, Virginia’s largest provider of orthopedic medicine and therapy, OrthoVirginia, was attacked by Ryuk ransomware that cut off access to workstations, imaging systems needed for scheduled surgeries, data backups, and more.

Terry Ripley, Chief Information Officer of OrthoVirginia, and Steve Cagle, CEO of Clearwater Security and Compliance, agreed to share their experience of attack recovery and talk about building OrthoVirginia’s cybersecurity strategies beyond recovery.

Ripley, who has over 30 years of experience in implementing medical technology in healthcare IT (she currently designs, develops and delivers information systems for large orthopedic clinics), also has some important tips for healthcare providers who are struggling with perception cyber risks in their organizations.

“Implementing cyber hygiene practices can be challenging if it is seen as slowing down healthcare delivery or getting in the way,” Ripley said.

Q. At the beginning of the pandemic, OrthoVirginia experienced what you called a “perfect storm” that made possible a cyber incident in a doctor-owned clinic network. Could you describe the discovery of the incident, the impact of ransomware on practice, and what your team faced in order to recover?

Ripley. Absolutely. Our IT monitoring systems detected a malicious deployment of ransomware on our local network on February 25, 2021. We later learned that this was an advanced Ryuk ransomware attack.

The incident affected our Windows servers, workstations, network storage and backups, but fortunately not our hosting. [electronic health records]. When OrthoVirginia discovered the incident, it was able to stop the intrusion and prevent access to outdated data images and data files.

Our forensic experts later determined that the malicious intelligence activity began on or before February 23rd.

One of the most significant changes in our practice has been the encryption of our [picture archiving and communication system], which stores all of our x-rays and is an essential component of orthopedic surgery. The cybersecurity incident affected image viewer applications and database services.

However, there was no forensic evidence that the images themselves had been accessed. And because we had only recently reopened our post-COVID operating rooms, we were in critical condition to continue the surgeries we had planned for our patients.

We had a very small IT team, and I must say, I couldn’t be proud of their reaction to this situation. They immediately shut down our servers to avoid further infection.

I contacted our cyber insurance incident response team and the FBI; they were all critical as we deployed response software, conducted forensic analysis, and proceeded with ransom negotiations. I think it’s important to note that we didn’t pay the ransom.

We spent the next 18 months recovering from the incident.

We have established access to the EHR from the office via an isolated wireless network and secured bring-your-own device access. We purchased as many Chromebooks as we could, encouraged employees to bring their own devices, and spent the next four months working with those devices, rebuilding virtual machines, and restoring business priority application data.

We offered business hours to support EHR access and rolled out a brand new PAC system within two weeks.

I’m pretty sure this is unheard of, but we’ve set patients as our very first priority and that’s what it takes to take care of them. We got really creative and used every resource we could think of, but in the end we never had to stop treating patients, and that’s the most important thing.

Q. What is the remediation approach and how has Clearwater helped OrthoVirginia achieve OCR compliance?

Cagle. We entered into a partnership with OrthoVirginia following the recovery of the original incident. Terry [Ripley] knew they needed help building a stronger cybersecurity program, and after screening several potential vendors, they chose Clearwater.

At first, Terri asked us for the services of a virtual chief information officer, but the more we talked, the more she realized that she needed something more comprehensive, and we developed a managed services program for her.

While we were helping OrthoVirginia develop a cybersecurity roadmap, conduct tabletop exercises and conduct a comprehensive risk analysis, they received a letter of investigation and a request for data from [Office of Civil Rights] related to the human right to access patient images that were temporarily inaccessible due to a ransomware incident.

The OCR investigation was comprehensive as it focused not only on the access request but also on the ransomware incident. Terri was confident that what happened in OrthoVirginia did not violate any HIPAA rules and was not a violation of [electronic patient health information]and asked us to help respond to a letter of inquiry.

Our team has extensive experience with OCR, so we helped Terry articulate the results of the OrthoVirginia forensics, the controls that were in place at the time of the incident, and the actions taken immediately upon discovery, allowing them to successfully respond to the incident. Letter of Inquiry OCR, initial request for data and subsequent requests for additional information.

Q. Once the remediation plan was in place, what were your next steps to protect the practice’s attack surfaces from future incidents?

Ripley. Then we called Clearwater. I’m so proud of our small and powerful IT team, but it was also a sign that we needed help developing a more robust strategy.

It’s easy to read the headlines about other incidents and think, “But not us.” We wanted to make sure that if something like this ever happens again, we can really say that we’ve done our best to prevent it.

For this reason, we subscribe to Clearwater’s ClearAdvantage Managed Services Program. They helped create a comprehensive program including program management and leadership.

Since these incidents, we’ve added some major strategies, some smaller ones like multi-factor authentication and digital IDs, and some larger strategies like evaluating the effectiveness of our cybersecurity program, rigorous risk analysis, technical testing, and desk exercises for executives. It’s all part of a larger strategy that helps us do more with our small team.

Q. What advice would you give to providers who are struggling to implement good cyber hygiene practices?

Ripley. I think you should start with a general understanding of why.

OrthoVirginia is a physician-owned organization, so implementing cyberhygiene practices can be challenging if it is thought to slow or interfere with healthcare delivery. If we could go back in time and understand what is at stake and how much a cyber incident will affect our organization, I think we would have a better consensus to make some of these changes.

Cagle. I agree with Terry and would add that effective communication with your board of directors is critical not only to secure financial resources for cyber hygiene practice but also to prioritize.

You can do this in many ways, from including your CSO on the next agenda, to inviting your cyber insurance partner or your cyber security partner to speak at the next board meeting. We do this for our clients at Clearwater because we know how important it is to communicate business objectives and risks to a company’s equity value if the right strategies and best practices were not adopted prior to an incident.

In fact, there is not a single healthcare organization that could not be a target, from small to large, from public to private. It does not matter.

Q. How can ISPs that follow frameworks stay ahead of attackers with new attack waves such as smishing, vishing, and QR code exploits?

Cagle. Cybercriminals have become much more sophisticated in their strategies and methods of attacking healthcare organizations. Using frameworks and adhering to cybersecurity best practices can help organizations prevent the success of these attacks.

Humans are the number one vector for cyberattacks, and phishing/social engineering is the main threat. It’s important to teach your employees not to trust anything or anyone when it comes to the digital communications they receive, including voicemail, text messages, and phone calls. They need to learn to act out of skepticism, questioning everything they can’t verify as legitimate, including QR codes.

It’s also very important to test the effectiveness of this training with periodic phishing and social engineering exercises when you send a simulated smish or vish to see how many of your employees are clicking or responding in ways they shouldn’t. This confirms the effectiveness of your training and identifies any gaps that need to be filled.

Ripley. I will reiterate the importance of both this training and testing. That’s what I mean when I say it’s so easy to think “not us”. Naturally, we have so much confidence in the messages we receive, and attackers know this.

They rely on their ability to outsmart our work force. This is how they sneak into the network undetected, which gives them time to find a vulnerability and exploit it.

Teach your employees, doctors, board of directors, consultants, and anyone connected to your network to assume that email, text messages, voicemail, etc. are dangerous until proven otherwise. Check the source carefully if it contains a link or requires a response.

These are really simple things that either protect your organization or make it an easy target.

Andrea Fox is a senior editor at Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.