As Mondays go, Columbia, MD-based hospital chain MedStar had a pretty bad one: The system, which includes 10 hospitals and about 250 outpatient facilities, was forced to disable its computer network after a virus was detected that prevented users from logging into the system.
As the outage stretched into multiple days, employees found ways to work -- on a limited basis -- without a fully functioning computer network. Some of those tactics will sound familiar to anyone who worked in healthcare in the days before those networks were so ubiquitious, one employee told Industry Dive.
Ransomware has been a hot topic since a Los Angeles hospital paid hackers last month a bitcoin ransom equal to $17,000 to release patient’s healthcare data. Since that attack, at least two more California hospitals have been hit with similar attacks. A Kentucky hospital went so far to declare a state of emergency after being ambushed with a type of ransomware called Locky.
The attack begins
The Washington Post reported that “staffers reported Monday seeing a pop-up on their computer screens stating that they had been infected by a virus and asking for ransom in bitcoins, an Internet currency.” However, MedStar has not stated whether or not ransomware was involved in the shutdown.
After the MedStar news broke, the FBI announced it was investigating the situation to assess if the virus was a strain of ransomware. This comes after the FBI issued a confidential advisory on Friday asking business and IT security experts to help it track down a new ransomware virus known as MSIL/Samas.A, possibly the first virus to encrypt data on entire networks rather than one computer at a time.
While the FBI is still investigating the virus, MedStar, whose systems are currently being worked on to restore completely, issued a statement Tuesday online and via Twitter:
MedStar is working to restore the majority of our systems today. Patient safety remains our highest priority. Visit https://t.co/Qoep4G3DAe— MedStar Health (@MedStarHealth) March 29, 2016
“After a careful assessment and testing overnight, we are working to restore the majority of our IT systems today. We are using backup systems, including paper documentation—a process used before the advancements of technology—where necessary, and as an additional layer of support to our clinical operations,” the statement read. “We will continue to partner with experts in the field of IT and cybersecurity, as well as law enforcement, to continually assess the situation as we safely restore functionality.”
On the inside
So what does a cyberattack look like from the inside? MedStar media officials did not respond to requests for comment but a MedStar employee who asked to remain anonymous told Healthcare Dive the system reverted to “old school” tactics, including walking down the hall to communicate, making copies of files, and working with paper. Employees were not able to access contact lists or their calendars in Microsoft Outlook.
“The morning I came in, my email wasn’t updating although I could get on the Internet,” the source said. About 10 a.m. Monday, departments received voicemail messages telling employees to shut down computers, not to download items, and stating they would be notified when it was safe to go online again.
Employees were given “wait to hear more” instructions, the source said, as employees started brainstorming about what they could do if the system stayed down.
“There actually has been a bit of infrastructure built up to set up runners and have individuals in a labor pool to help [operations],” the source said. So offices were cleaned, files were organized, copies were made, and resources were brought in for internal team training.
As of the time of publication, our source noted that computers have been turned on but they cannot connect to their files.