A ransomware attack at the Brooklyn Hospital Center in New York targeting many computer systems caused a permanent loss to some patient data.

The hospital was trying to recover the information, but every effort was in vain. This shows that a ransom has not been paid for decrypting the files.

Unrecoverable medical records

The attack took place in late July, but the hospital only publicly remembered this last week, after what the organization refers to as an “exhaustive investigation” and after “diligent remediation efforts.”

Nevertheless, attempts to retrieve encrypted documents remained fruitless, the hospital notes in a public notice. Not all patients are affected by the accident, but the number of patients is not known.

“On September 4, 2019, the investigation confirmed that due to the malware, and despite exhaustive efforts by the Hospital to recover the data, certain patient data was unrecoverable.”

Names or dental or heart images are included in the unrecoverable data. The hospital stresses that no proof of the information being exfiltrated from its networks or otherwise misused was found in the report.

Attacks by Ransomware are about encrypting, not stealing information and in exchange for the decryption key, ask for money.

In this situation, the hospital did not give any information as to the ransomware strain or the money that cyber criminals had requested.

Backup is the defense first line

While patient information reveals that the hospital has not complied with the criminal demands both the infosec community and law enforcement advice, it also indicates that Brooklyn Hospital Center has no proper contingency system in place.

Medical information is sufficiently important to be secure because catastrophe can take many forms, not just ransomware; an infected computer system can corrupt data or a hard drive can malfunction.

Organizations that handle sensitive information should be prepared for these scenarios and have a backup procedure to safeguard everything.

However, defending against ransomware is not identical to protecting against software and hardware failures and access to the backups should be tightly controlled in order to prevent malware.

Categorized in: