Hancock Health, an Indiana hospital, was recently targeted with a ransomware infection. They just paid the ransom to the hackers who gained access using the credentials of a third-party vendor.

The hospital said the hack was immediately noticed by employees, and affected email, electronic health record (EHR) software, and internal operating systems. More than 1,400 files were targeted, with hackers demanding payment within seven days to prevent permanent file encryption. The hospital said the files were backed up and could have been recovered, but restoring them would take significant time and be costly.

After payment of four Bitcoins, worth approximately $55,000, the files were released and hospital operations were restored.

Hospital leaders learned that the hacker used  an administrative account setup by one of the hospital’s vendors to gain unauthorized access to a system managed by the vendor and infected its systems with the SamSam ransomware variant.

Insights on Response and Prevention

Cyber insurance is a good idea. Fortunately for the hospital, they had insurance to provide coverage in this instance.

Post-attack steps are critical. The hospital asked employees to reset passwords, and indicated they’ve implemented software that detects patterns that might indicate a similar attack is about happen.

Paying ransomware is risky business. Law enforcement and security experts generally recommend not paying ransom for several reasons: paying a ransom provides further funding to such operations, there’s no guarantee that a ransom payment will result in returned files, and an organization who pays a ransom can be perceived as a ‘good’ target for further extortion.

Abuse of insider credentials can happen anywhere in the supply chain. In this instance, the valid credentials of a vendor were exploited. To help prevent this type of threat, organizations should:

  • Routinely re-assess vendor access levels, especially in those cases where vendors have privileged access. Go beyond the obvious need to revoke access as personnel or vendors offboard, and periodically review if the job requirements still require access.
  • Use activity and network monitoring software to help identify illegitimate use of valid logon credentials. With such software, administrators can be alerted to successful logins at unusual times (for the user or for the system) or successful logins from unusual locations (for the user or for the system).