ECMC EHR Outage Teaches Valuable Ransomware Recovery Lesson

Erie County Medical Center (ECMC) spoke out about the ransomware attack that caused a hospital EHR outage spanning six weeks.

The New York hospital recently shared its cautionary tale with a local newspaper, painting a grim picture of the reality hospitals across the country now face as the healthcare industry becomes a target for cyberattacks.

In the early hours of Sunday, April 9, ECMC received a digital ransomware note demanding the equivalent of $44,000 for a key to unlock the hospital’s own files. Hackers had encrypted data in ECMC’s network impacting over 6,000 computers.

ECMC shut down all its computer systems to avoid further damage and reverted back to paper records. All patient admissions, prescription writing, and day-to-day tasks ordinarily completed in the hospital EHR system were completed by hand for weeks.

Over a month later, ECMC’s EHR system is just now regaining its normal functionalities. The hospital has managed to restore many of its computers.

Additionally, ECMC has stated no patient data was compromised despite the aggressive nature of the hackers.

"What's happening is a form of terrorism like an attack on critical infrastructure," said Chief Executive Officer at ECMC Thomas Quatroche in an interview with The Buffalo News. "It's a call to action to view cybersecurity the way we do law enforcement, to raise the profile of the issue."

While some businesses infected with ransomware opt to pay the ransom, ECMC was advised by GreyCastle Security and law enforcement authorities not to do so.

Thanks to ECMC’s connection to the health information exchange HealtheLinkNY, certain doctors could access patient health records outside of the hospital’s own network. ECMC lent the emergency room department and the intensive care unit leased laptops with limited internet access allowing doctors to access patient health records through the HIE.

With this temporary fix in place, ECMC was able to avoid bartering with hackers and continue operations to a reasonable capacity.

Another reason ECMC was advised not to pay the ransom was because hackers may not provide the key to the encrypted files after receiving payment.

Furthermore, even if hackers did provide the key, officials stated there is no way to ensure files would be in proper condition.

ECMC also had a personal reason not to pay ransom.

"A part of it also was about the integrity of the organization," added Quatroche.

However, ECMC officials acknowledged not all hospitals have the backup storage or the advantages of an HIE connection to keep a facility running long enough to avoid payment.

"Whether to pay or not is a very individual thing," Quatroche said. "If you have no backup, you have no choice."

Investigators believe the ransomware attack was caused by SamSam, an automatic program unrecognizable by anti-virus software. The hackers then tried millions of character combinations to identify a password allowing them to gain entrance into the hospital’s system.

Despite the circumstances, ECMC staff members rose to the occasion.

"Our people were tested, and it blew me away. They have been resourceful, and have rallied around each other and the patients," Quatroche said. "There also was a silver lining in that we learned that having administrators do rounding through the hospital is something we need to do more of in the future."

ECMC received assistance from firms including Microsoft, Cisco, and MEDITECH, which supplies the hospital EHR system.

Officials stated most systems will be running as normal later this week. However, the hospital’s outpatient clinics will still need more assistance.

"This is a people problem, not a technological one," said GrayCastle Security CEO Reg Harnish. "We want things to be easy and fast. But we also need to develop a culture of security to minimize those risks."

Security consultants advise that hospitals routinely check the security of their institutions.

The team at ECMC intends to improve its password strength, back up data, and limit internet access in the future.