An Unseen Threat Actor Attacks a Critical Access Hospital's Digital Network in Sandusky, Michigan

What Happened

As soon as information technology (IT) systems began shutting down, the IT team at McKenzie Health System, a Critical Access Hospital (CAH) in Sandusky, Michigan, knew they had a problem. On or about March 11, 2022, according to Steve Barnett, the chief executive officer (CEO) of McKenzie Health System, the IT team notified him that the CAH's computer and information systems were under attack from an unknown threat actor. A threat actor exploits weaknesses in computers, firewalls, IT networks, and systems to carry out malicious attacks in the digital space. They operate in secrecy on the dark web and continually probe for vulnerabilities in information systems through phishing attempts via bogus emails that contain viruses or ransomware.

After a thorough but quick forensic investigation, McKenzie Health's IT director determined that the attack originated approximately 24 hours prior to discovery and the threat actors were demanding a 7-figure ransom to prohibit the release of potential personal health information (PHI) and other private information on the dark web. During the effort to identify the breached data and contain the attack, the hospital was unable to immediately determine the source of the attack, but Barnett said the most likely culprit was a phishing email that managed to get through their spam software and allow the delivery of additional malicious payloads.

He described the attack as a “smash and grab,” similar to a robbery where the perpetrators do not have a specific target in mind but take as much as they can until they are discovered and then get out.

Response

The initial phase of the response for McKenzie Health involved determining what was happening, where the attack was coming from, and who was responsible. Because the IT team needed to rebuild the lost information and get downed systems back online quickly, the hospital first attempted to de-escalate the threat by taking operations totally offline. Barnett said his team responded well and naturally flipped over to paper systems. He attributed this fluidity between old tech and new tech to being rural and being accustomed to dealing with interruptions to the digital pipeline from time to time. According to him, the team is very familiar with what to do if a tool fails and that they must do things differently in those instances. Barnett added, “That is the nature of rural versus urban. You learn to adapt more quickly in both directions.” As the time offline increased, however, staff anxiety increased and that amplified the need to rebuild and get back online as quickly as possible.

One challenge to initiating such a quick recovery and rebuilding systems in a cyberattack is the risk of destroying clues about where the attack is coming from and who is responsible. This risk must be weighed against the damage that is being done. Barnett thought the hospital may have started the recovery a little too quickly, but with all of the involvement of lawyers, threat actor negotiators, and the need to examine and isolate the affected systems, decisions had to be made. He also commented that their cybersecurity insurance company was advising and assisting the hospital the entire time.

When it was determined that the attack did not seem to go as deep as previously thought, and with the recovery of files and information already in progress, McKenzie Health made the gut-check decision to not pay the ransom. The IT team restored computer and IT systems to 12 hours prior to the attack. Barnett described the conversation:

“It's Saturday night, about 8:00 or 9:00. I am on the phone with my IT director, chief operations officer (COO), and chief financial officer (CFO). We are aware of the problem; we have some sense of what happened and what was penetrated. My IT director has done a search of the dark web and looked at who he thinks it is. We have to make a judgment call about their integrity. What do they want? How is this going to go? We have no guarantee that if we pay, it will prevent the release of [information] they were able to get. It did not feel like we were going to be able to win and I am not a fan of paying people to behave badly or do bad things to you. So, we made the decision not to pay the ransom.”

Another important part of the decision was an analysis conducted by the leadership team. The analysis determined that McKenzie Health was taking the appropriate precautions, had implemented preventive training, and had the proper firewalls and security in place to attempt to prevent such attacks. They believed federal officials would look at this information in any future audits of the incident.

Planning

Despite having a breach, Barnett credited his hospital's firewalls and continuous education about phishing emails for keeping out many other potential threats. He said they cannot stress enough that bad actors are always waiting to take advantage of a situation. The hospital constantly communicates to staff the need to be vigilant and educates them on ways to identify phishing emails. Barnett stressed, “They are trying to get you to push a button in an email. We teach staff to look at the email address and domain. If what is being asked does not seem logical, stop. Email is where you are most vulnerable but we're not going to take email away from everybody, so we have to educate people to use it wisely and purposefully.”

He also emphasized the disaster recovery efforts that McKenzie Health had in place as being critical:

“When our insurance broker started talking about the need for cybersecurity insurance 5 or 6 years ago, none of it made a lot of sense, but the threat seemed real enough, so we went with something limited and expanded over time. The costs for this sort of thing can add up fast with law firms, risk assessment, the threat actor negotiator; it is crazy. In addition, all of this is crucial because the incident must be reported to the proper authorities, and you need to prepare for any future audits from the federal government. They can audit you at any time and you may have additional penalties.”

McKenzie Health also engaged a disaster recovery organization prior to the incident and has redundancy in their IT system through a remote server that is isolated from the hospital network in an offsite location. Their IT system backs up approximately every 12 hours, which aided in the recovery of critical processes and information.

Recovery

Given the nature of the breach, McKenzie Health did not release a formal statement to the media. However, in a small community, news travels fast and the local newspapers and radio station began inquiring about what happened. The hospital leaned on the expertise of their attorney to develop messages that could be shared with the media. Barnett said McKenzie Health asked the media to “give us time to figure this out” and the request was respected.

The hospital then began putting together a patient notification list that was tiered by potential risk based on what personal information might have been compromised. The disaster recovery service professionals engaged by the cybersecurity insurance company aided McKenzie Health with messaging, determining what services needed to be provided to the individuals in the different potential exposure tiers, and the hospital also provided monthly credit monitoring for a year for those individuals at the highest tier. “It's no longer news, but the notification process continued to elicit calls and questions for the facility,” said Barnett.

Nearly four months later, they are still not done. McKenzie Health continues to be involved with their disaster recovery team. Barnett said the hospital has learned a lot. “Our firewalls are continually learning,” Barnett explained. “We are building better firewalls. We are also trying to go virtual as much as possible, working to find a good path to access software from a central location and limit another exposure.”

Barnett encouraged healthcare leaders not to be naïve. “If you are operating in an electronic environment, as most healthcare providers are, it is not if you will suffer a cyberattack, it is when you will become a victim and so organizations should make sure they are educating, communicating, and preparing for disaster recovery. They [threat actors] are going to get in.”

Barrier

One of the barriers encountered during the recovery was a lack of understanding about some of the characteristics of McKenzie Health's electronic health record (EHR) that might have been helpful to know during the offline period. This reduced the time it took to rebuild the records after systems came back online. Barnett encouraged healthcare organizations to learn about their EHR systems. “We learned after this process some things about our EHR that would have been helpful to know and would have been beneficial in the recovery. We essentially had an impenetrable, closed system for progress notes that could have helped in the rebuild,” Barnett shared.

Advice

Barnett recommended continually educating staff on determining whether an email is real or a phishing attempt. Barnett shared that threat actors are constantly sending out emails in the CEO's name asking employees to complete a task or make a purchase. He encouraged teaching people to focus, stop, and think, “Would that person really ask me to do that?” before responding to suspicious emails.

Barnett also suggested “looking at educational opportunities, going to sessions at conferences, and finding out what you need to be paying attention to. Don't wait until it happens to you.”

Person(s) Interviewed

Steve Barnett, Chief Executive Officer
McKenzie Health System