Case Study 4
Details of the Cyberattack
Unlike the other centers in these four case studies, this center had no IT personnel onsite who could understand and manage the attack. They had transitioned from a private IT vendor to a hospital-based IT vendor. The center was also in the middle of the three-year IT implementation plan that was proposed by their current vendor. One of the items identified in this plan was to have the center’s systems, which were currently being backed up onsite, moved to an offsite backup location at the hospital. In the interim, the new IT vendor was relying on the onsite backup. However, this backup was not being done on a segregated server. The cyberattack was initiated when a user clicked on a link containing the ransomware. Soon after, the center determined that no one could access email. An urgent call was made to the IT vendor, who discovered that the Exchange server had been compromised through a ransomware infection. They also found that the local backup had been encrypted. The Executive Director remembered that the previous vendor had created a disaster recovery backup on a segregated server and asked the current vendor to look into this. Unfortunately, this process took almost three days. After a lot of finger-pointing between vendors, the center was able to restore its environment. The Executive Director recommends that if anyone is planning to switch vendors, they should ensure that their new vendor is fully familiar with the organization’s entire network infrastructure. It is also highly recommended that centers regularly test their Business Continuity Plan (BC P) and Disaster Recovery (DR).
Insurance
The center did reach out to their insurer who indicated that since they were not negotiating with the cyberattackers, they would not intercede.
Costs were associated with staff time including staff working directly on the restore and the tremendous amount of follow-up work that had to be done. The center had to resort to faxing and phones as there was no access to emails during this time.
When changing vendors, make sure there is a proper transition of responsibility
- Executive Director
Data Security Case Study
After reading the case study, discuss the following:
1. Describe each case study.
2. What were the effects of each breach?
3. How could healthcare information technology and technical safeguards aid in these situations?
4. What else could have been done to prevent the breaches?