Virus Forces Shutdown of Medstar Health System’s 10-Hospital Computer Network
On Monday March 28, 2016, Medstar Health System discovered a computer virus had been installed on its computer network. The Columbia-based health system, which runs 10 hospitals and more than 250 outpatient facilities throughout Maryland and Washington D.C., was forced to shut down its electronic health record (EHR) and email systems to prevent the spread of the virus.
The virus was discovered on Monday morning and the health system acted rapidly to contain the infection and prevent its spread throughout the organization. The security breach was reported to the FBI and an investigation into the attack has been launched. The health system is currently working with its IT and security partners to determine the exact nature of the cyberattack, the extent to which data and systems have been compromised, and how best to deal with the virus.
Medical services are still being provided to patients and all of the health system’s facilities remain operational; however, the decision to take the EHR and email systems offline will have an impact on patients. Medstar Health employs around 30,000 staff who have been prevented from communicating electronically. Even if email access is rapidly restored it will take some time to clear the backlog.
Electronic patient health records cannot be consulted or amended as the computer network is not operational. Consequently, physicians and nurses have had to go back to using paper records and charts to record patient health data. This is likely to result in considerable delays for patients. At the present moment in time it is unclear how long it will take to remove the virus and bring all systems back online.
The nature of the virus has not been disclosed to the media, although this incident comes on the back of a string of ransomware attacks on U.S hospitals. Those attacks are believed to have involved a strain of ransomware called Locky. Once installed on a computer, Locky ransomware searches the device for a range of different file types and scrambles data to prevent files from being accessed. This strain of ransomware also searches for files on virtual drives, portable storage devices, and network drives and locks those files with powerful encryption.
The fact that the email system has also been shut down suggests email was the attack vector. Locky and other forms of ransomware are often delivered via infected email attachments. Hospital staff inadvertently install ransomware and viruses by opening seemingly genuine PDF files and other infected file attachments. Recently, ransomware has been delivered via Word documents. Those documents contain malicious macros, which if allowed to run, download ransomware onto the device.
A number of attacks have taken place in the past two months, although only Hollywood Presbyterian Medical Center has reported paying a ransom. The hospital felt that paying the $17,000 ransom to obtain the security key to unlock its files was the best course of action.
That infection only affected one hospital. If the attack on Medstar Health System involved ransomware, the ransom demand could well be considerably higher.
The Washington Post reported the attack yesterday and claimed to have spoken to an internal source at a Medstar Health System hospital who said she had spoken to two employees who had viewed a popup on their computers asking for a ransom, although this has not been confirmed by Medstar Health.
Medstar Health spokesperson Ann Nickels issued a statement confirming the virus attack, although she did not say whether the virus is ransomware, only that as a result of the infection systems have been shut down which prevents employees from logging in.
While the nature of the attack remains unclear, Nickels did say that Medstar Health has not uncovered any evidence to suggest that patient health records have been stolen by the perpetrators of the attack.