New Jersey's Largest Hospital System Pays Up In Ransomware Attack

New Jersey's largest hospital system said that it has paid hackers a ransom after a ransomware attack disrupted its services earlier this month. Threatpost reports: Hackensack Meridian Health, a $6 billion non-profit health provider system based in Edison, N.J., operates 17 hospitals, nursing homes and outpatient centers, as well as psychiatric facility Carrier Clinic. The hospital system told media outlets on Friday that it was targeted by a cyberattack on Dec. 2, crippling its computer software systems for nearly five days. "Our network's primary clinical systems are operational, and our IT teams continue working diligently to bring all applications back online safely," according to a statement issued to media, Friday. "Based on our investigation to date, we have no indication that any patient or team-member information has been subject to unauthorized access or disclosure."

The attack affected the hospital's computer software systems, from scheduling and billing systems to labs and radiology, according to reports. Consequently, the ransomware attack forced the hospitals that were part of Hackensack Meridian Health system to reschedule around 100 non-emergency appointments and surgeries earlier in December. The hospital system did not clarify how much ransom it paid, or whether its data has since been recovered. It also did not give further indication about how systems were first infected and what data was affected.

Re:Non profit my ass.

[Mashiki]

If they're non-profit, their books by law have to be open and disclosed. I await your forensic audit of said information to prove your point.

Re: Non profit my ass.

[CaptainElwood]

The point was that the definition of not for profit is not what most people would say it is... They make a bunch of money.

Re:

[Mashiki]

The point was that the definition of not for profit is not what most people would say it is... They make a bunch of money.

The reality is, you don't understand what a non-profit is. Making a bunch of money doesn't mean anything if all that money is only spent on the programs required to operate. Hospitals and health networks are expensive, really expensive to operate. One of the big Sick Kids hospitals here in Canada costs $2.1B/year to operate. Keeping in mind that they're also a non-profit, they also ran a deficit of $25m last year, because there was an extremely bad child flu season.

Re:

[docdoc]

The rules for non-profit hospitals include things like providing a minimum amount of "uncompensated care". Ie, writing off medical debt etc for uninsured. In return, satisfying those thresholds avoids taxes. We consider hospitals in some respects to be a different commodity than a typical "for profit" business. When someone shows up to the ED for example unconscious and bleeding, it's federal law that they have to be taken care of and at least "stabilized" even if it is known that they're uninsured. If

Tax is on profit. No profit, no tax on it

[raymorris]

Companies pay taxes primarily on their profit. If you trade a $20 bill for four $5 bills, you owe no tax on the transaction because you had no profit.

Non-profits pay no taxes on their profits simply because they don't have any. That doesn't have anything to do with "meeting certain thresholds for - you simply don't pay taxes on profits you don't have.

Non-profits do still pay various employment taxes, etc, because they do have employees.

If the non-profit also:
fits into one of several predefined categories,
i

Need to demand greater transparency

[fustakrakich]

Subpoenas should be handed out if they don't cooperate and open all the books and logs.

Evidently paying off the ransom is cheaper than making proper backups.

Demand paper receipts...

Re:

[RitchCraft]

Evidently paying off the ransom is cheaper than making proper backups.

Exactly. Why do these companies not have proper backups for situations like this? Instead of paying the ransom try firing the CIO and use his/her salary to install a backup system that has been *tested and works*.

Re: Need to demand greater transparency

[guruevi]

Judicial subpoenas cannot be ignored. You can subpoena everyone in common law, but that doesn't mean it's worth the paper written on if there is no judge that signed it, at that point compliance with your subpoena is only a nicety.

I has the solution

[Presence Eternal]

The cheapest and most likely way to deal with ransomware is to buy a copy of "Man on Fire" for every dumbass who thinks it should be legal to pay ransoms.

Hackensack Network

[Ogive17]

Just asking for trouble with that name.

Info

[cygnusvis]

Based on our investigation to date, we have no indication that any patient or team-member information has been subject to unauthorized access or disclosure

so attackers encrypted data and took nothing? sure.

Re:

[RitchCraft]

How would they know? Everything is locked out and encrypted. I guess that's what meant by "no indication".

Re:

[alaskana98]

Hmm, yeah I'd be suspicious as well that only files/folders were encrypted and nothing was exported out of the network. Having said that, I think what makes these encryption attacks so popular is that all they need to do is get in via an email attachment or phishing link and then once in the internal network, do a rapid encryption of all possible files. At that point they don't have to worry about getting back out through the firewall as the damage has been done.

My gut feeling is that they did have pre-

Re:

[DarkOx]

Yes the data between the backups (and you can only trust the offline ones in a situation like this) is likely at least a little stale and as you say. I used have nightlys when I was sysadmining and when we had two drives in a raid5 manage die within a space of each other smaller than the time needed to generate the first failed disks data to the hot spare, I lost of about 5 business hours worth of data on our sales quoting system. Poof gone; even with proper backups and redundant hardware (raid array).

Not

Re: Info

[guruevi]

OCR will treat is as a HIPAA violation unless they can prove (eg loss prevention and data extraction detection at the firewall) that nothing was going out from those affected systems.

But this will be a multimillion dollar fine since most hospitals have no functional IT leaders.

Backups?

[Locke2005]

If they backed everything up every day, isn't the most they could lose just 24 hours worth of data? Wouldn't making backups work be cheaper than paying ransom? Doesn't paying ransom just encourage and fund more attacks?

never ever pay

[bool2]

It should be illegal to pay these criminals with huge penalties for doing so such that it is cheaper not to pay.

question!

[gTsiros]

is this kind of money transfer legal?

in other words, are they not complicit in illegal activity by giving away this money?

Re:

[CrimsonAvenger]

in other words, are they not complicit in illegal activity by giving away this money?

Hmm, you seem to be suggesting that if someone kidnapped your infant daughter, YOU should go to prison if you paid the ransom....

Asset size

[Miser]

If they are $6 BILLION in assets, they can pay to have a secure system and not be affected by ransomware.

I know EHR is a rather vertical market, but WHY would you run your main line of business application (where the patient data is stored) on Windows? Get something secure. Some kind of Unix, iSeries, IBM Mainframe, OpenVMS, etc. Not saying that none of these are unhackable, but they sure are NOT susceptible to this ransomware du-jour that goes around.

Then, if your workstation gets owned, wipe it, reima

Airgap size

[Ostracus]

" It also did not give further indication about how systems were first infected and what data was affected."

Haven't you heard? Internet access is a right, and employees will walk off a job if they don't have it. Put an airgap in (aka 'no internet') and a lot of attacks don't work, or one has to work much harder to get in (aka Stuxnet).

Re:

[RKThoadan]

From some Googling they are using Epic as their primary EHR, which runs it's back-end database on *NIX. The presentation layer is usually handled by some form of Virtualization running Windows, but can be local installs on the desktops.

The primary EHR is just a small part of any medical system though. Our rather small hospital has at least 30 disparate systems that communicate with the primary EHR. There is a wide variety of OSs and back-end databases among them, although windows + MSSQL is certainly the mo

Time to make that illegal

[gweihir]

Paying these "people" encourages them and just leads to more attacks. Hence paying them must be made illegal. Maybe also have reasonable IT security and backups at places that depend on their IT?

Re:

[joeshutt]

Maybe also have reasonable IT security and backups at places that depend on their IT?

What often happens is the attacker is in your network for a while before you actually know about it. One of the first things they do is find a way to nuke your backups before they encrypt everything and demand a ransom. There are ways to protect against this, but I suspect a lot of companies do not adequately secure their backups and since it's not a visible problem, it likely doesn't get any meaningful attention.

Re:

[gweihir]

Off-site, offline backups are part of any reasonable BCM/DR checklist.