Case Study $3$

Details of the Cyberattack

The centre was alerted to the possibility of an attack when a member of staff said they were having

problems opening a document. Upon investigation, it was discovered that all documents on the network

share had long names. Suspecting a cyberattack, the network was quickly disconnected from the

Internet. It was then discovered that all files and folders on all network shares had been encrypted.

There was a single text file in every folder acknowledging the presence of ransomware along with

instructions on payment.

The centre had a two$-$level backup system in place. One was using

an external hard drive to back up all documents in personal and

network shares. The second was a magnetic tape system where the

Exchange server and all emails were backed up$.$ Unfortunately, it

was determined that the external hard drive had failed over two

months prior to the incident. This meant that the last known good

backup was $60$ days old. No alerts were issued to inform the centre

of this failure. The tape backup was unaffected. Financial and EMR

data was stored in the cloud and was unaffected.

A decision was made to contact the cyberattacker$($s$).$ Within a matter of hours, they received a reply

asking for more details $($e$.$g$.$ number of machines affected, size of the organization, server operating

systems$).$ Realizing that doing this alerted the cyberattacker of a potential victim $($and could also

potentially affect the size of the ransom that would be requested$),$ they immediately blocked the email

address and domain. Back to reassessing the damage, it was decided to delete all the encrypted files and

folders and fall back to the last known good backup that was done two months earlier. This decision was

made fairly quickly since the number of files generated by users in that time span was determined to be

fairly small. Within a matter of a few hours after the attack, the centre was operational again.

During the root cause analysis, it was discovered that there was a Windows $2003$ server setup for remote

access with an Internet$-$facing external port. It appeared that this server was used by a past system

administrator for off$-$site administration. The current administrator was unaware of this as there was no

previous system infrastructure documentation. It was through this server that unauthorized network

access was achieved.

Insurance

The centre did reach out to their insurer who indicated that since they were not negotiating with the

cyberattackers, they would not intercede.

Costs

Costs were associated with staff time working directly on the restore for an entire day.

You have to know your

systems and architecture;

every single part of it$.$

$-$System Administrator

Data Security Case Study

After reading the case study, discuss the following:

$1.$ Describe each case study?

$2.$ What were the effects of each breach?

$3.$ How could healthcare information technology and technical

safeguards aid in these situations?

$4.$ What else could have been done to prevent the breaches?