School, Hospital Leaders on Front Lines of Ransomware AttackFrom Paying Ransoms to Rebuilding IT Systems, Here's What the Response Looked Like
What's worse than a COVID wave, lasts longer than year and leaves affected individuals with no good choices? The aftereffects of ransomware attack, witnesses told a Wednesday congressional panel in testimony culled from personal experience.
See Also: M-Trends 2023 Report
"I've been an emergency medicine doctor for 30 years," said University of Vermont Medical Center President and COO Stephen Leffler. "I've been a hospital president for four years. The cyberattack was much harder than the pandemic by far."
Leffler testified before a House Oversight subcommittee alongside Judson Independent School District Assistant Superintendent of Technology Lacey Gosch. Also sworn in was Grant Schneider, Venable Senior director of cybersecurity services. Schneider warned at the onset that ransomware has devastating operational, economic and reputational outcomes.
"Victims are left with an unsavory set of options, having to choose between restoring services quickly by paying a ransom or working to reconstitute their systems and restore operations on their own," Schneider said. "Often, paying a ransom can be the most time and cost effective approach to getting an organization up and running again."
Twenty-Eight Days Without Electronic Medical Records
When the University of Vermont Medical Center's IT team detected a ransomware attack in October 2020, they immediately shut down the system before contacting leadership to let them know something was wrong, Leffler said. Swift action thwarted the exfiltration of any patient care information or employee information, and put the medical facility in a better position, Leffler recollected.
"Every single computer needed to be wiped clean and then reimaged," Leffler said. "Every server had to be wiped clean and reimaged. It was a 24-hour-a-day, seven-day-a-week job for our IT staff. We're very fortunate the state of Vermont realized how important this was and gave us National Guard workers to help with that reimaging."
Leffler said the ransomware attack forced the University of Vermont to shut off its electronic medical records system, meaning the medical center had to go back to using paper. Many younger doctors at the facility had never written paper orders and needed tutoring. But since backups were in place, no ransom payment was needed.
"Early in the cyberattack, we didn't have a phone system, because our phone is on the internet," Leffler said. "We literally went to Best Buy and bought every walkie-talkie they had. And I asked administrators all to run lab results to the floor; our critical lab results system was down. On day two, we had a pile of paper lab results in our pathology conference room about six inches thick."
The hospital has spent $65 million responding to and recovering from the ransomware attack, Leffler said. It's since segmented its IT system into smaller pieces to prevent bad actors from moving around at will in event of an incident, added multi-factor authentication for administrators who didn't have it before, and has made it harder for administrators to change things.
"We assume a security incident is going to happen again," Leffler said. "There are so many people trying."
Going forward, Leffler wants to see ways for medical center to more cheaply purchase cybersecurity products and services and keep those technologies current and upgraded. Leffler would also like to see federal officials make grants available to bring medical facilities up to accepted cybersecurity standards as well as money for strong backups so that fewer organizations have to pay ransom after an incident (see: Bill for Rural Hospital Cyber Skills Passes Senate Committee).
"As a doctor, I want to spend all the money on patient care technology and new equipment there," Leffler said. "Prior to the cyberattack, usually cybersecurity stuff would fall down the budget and oftentimes come off."
Paying the Ransom, and Still in the Wilderness
Despite paying a nearly $550,000 ransom, it took the Judson Independent School District more than a year to recover from a June 2021 ransomware attack, with the San Antonio-area district still making improvements, said Gosch. Network restoration was only possible thanks to "school district friends" that assisted with communications and business operations.
"We learned that the cavalry does not come, and we must rely on our own resources," Gosch said. "No state or federal agency ever visited or offered recovery assistance to us. Insurance coverage was helpful, but those go predominantly to attorney's fees, data mining and identity protection. It does not cover ransom payments or costs for upgrades to mitigate that damage."
Gosch said the costs associated with a ransomware attack aren't limited to data loss or a data breach, but instead encompass everything from monetary loss and recovery and replacement efforts to security efforts and mental and physical health effects.
"I was hired only 34 days prior to this attack," Gosch said. "The state of the district's technology was not unlike thousands of school districts across the nation. It was outdated, out of support, and included antiquated systems and hardware that could not support the changes brought about by COVID-19. These factors contributed to our vulnerability and the continued concern for many K-12 leaders."
Even with the ransom payment, Gosch said the school district had to spend more than $5 million remediating the attack and replacing all the technology equipment. Specifically, she said the district implemented multi-factor authentication and endpoint detection and response, moved to immutable backups and cloud-based systems, and now uses artificial intelligence to monitor its email.
"We've added those at a high cost," Gosch said. "And that is always a concern as we look at school budgets in terms of maintaining it, but we were able to upgrade to what is needed to combat it."
Going forward, Gosch would like to see more funding set aside to help school districts stop cyberattacks, protect sensitive data and upgrade their equipment. Cyber recovery and mitigation programs haven't been formally developed for schools, but Gosch said she'd recommend federally-supported discount programs similar to E-Rate as well as setting cybersecurity standards for schools.
"At least in Texas, there's not any particular guidance or requirements to deal with cybersecurity," Gosch said. "It's just not talked about within education; it's not something that's supposed to necessarily happen. There's a lot of other that would help on the cybersecurity piece as far as student data, just in having some regulations, even on software companies."