Cyberattack at MedStar Health forces computer system offline

There is 'no evidence that information has been compromised,' the system says

From our expert: How to prepare for a ransomware attack

Hackers on Monday infected MedStar Health's computer system with a virus, the latest in a slew of cyberattacks against hospitals and health systems in recent months.

The system, which operates 10 hospitals and upwards of 250 outpatient facilities in the Washington, D.C., region, rapidly shut down all of its computer system interfaces on Monday morning to prevent the virus from spreading.

Officials say in a statement that there is "no evidence that information has been compromised." Without access to the EHR system, email, or the appointment-booking system, staff have resorted to using paper charts and records.

Three US hospitals hit by ransomware attacks on same day

All of MedStar's clinical facilities "remain open and functioning," MedStar spokesperson Ann Nickels said on Monday.

FBI investigating as possible ransomware attack

The FBI is investigating whether the virus is ransomware, a type of malicious software that encrypts files on the health system's network and demands ransom money to provide a decryption key.

An unidentified MedStar employee told the Washington Post that two other system employees received pop-up messages stating that the network had been infected and demanding a ransom in "some kind of Internet currency."

However, Nickels on Monday said she had "not been told that it's a ransom situation."

The MedStar cyberattack comes after four other U.S. hospitals were hit by ransomware attacks in recent months. In February, Hollywood Presbyterian Medical Center paid hackers who disabled its IT network a ransom of 40 bitcoins—about $17,000—in a move CEO Allen Stefanek described as "in the best interest of restoring normal operations."

Meanwhile, three U.S. hospitals were hit by separate ransomware attacks on Friday, March 18. The attacks—on Kentucky-based Methodist Hospital and two California-based hospitals owned by Prime Healthcare ServicesChino Valley Medical Center and Desert Valley Hospital—are all being investigated by the FBI. Attackers were demanding 4 bitcoins—about $1,600—to unlock Methodist Hospital's system, but the hospital did not pay the ransom.

LA hospital pays hackers ransom to regain access to IT network

Although details of the virus that struck MedStar remain unclear, the system is focused on fully restoring normal operations as soon as possible. "MedStar's highest priorities are the safety of our patients and associates and confidentiality of information," the system says. "We are working with law enforcement [and] our IT and cybersecurity partners to fully assess and address the situation" (Woodrow Cox et al., Washington Post, 3/28; Conn, Modern Healthcare, 3/28; Gillum et al., AP/U.S. News & World Report, 3/28; McDaniels/Duncan, Baltimore Sun, 3/28).

From our expert: How to prepare for a ransomware attack

Ernie Hood, Health Care IT Advisor

Ransomware attacks via email are virtually impossible to completely eliminate via technical means, such as through client-based antivirus software, since the criminals who craft ransomware emails are getting better and better at avoiding detection.

Therefore, it's imperative that provider organizations think proactively about how to best prevent ransomware attacks, and how to be ready to respond if one occurs.

Prevention: Education is key. Providers should incorporate anti-phishing information in annual security training materials and provide frequent alerts that explain the latest technique or scam. Organizations also should initiate a fake phishing campaign sent out by the security office, and they then should follow up with any staff who fall for it.

Preparation: Since there will always be a risk that malicious emails could get through, all staff should be trained on what to do if they get phished or hit with ransomware, including disconnecting immediately from all networks and reporting the incident to the appropriate body.

Organizations should also lay out standard procedures for handling such incidents, including having a technician assess the situation to determine if an attack has indeed occurred and to evaluate the scope of the incident prior to deciding how to respond. Providers should also have a standard incident response procedure, which we've outlined in our webconference, How to Build a Breach Plan.

Watch the webconference

Further, organizations need to have backups of their information, which they routinely check and update. Restoring via backups is the preferred method of removing ransomware. While it is time consuming, it can save the organization potential costs from having to reach out to third-party vendors for support or even from paying the ransom.

Next in the Daily Briefing

Around the nation: Police chief warns drug users their meth 'is contaminated with the Zika virus'

Read now