Effective disaster recovery planning would make Hollywood Presbyterian a non-story

As you've probably heard, the Hollywood Presbyterian hospital has been the victim of a cyber attack.  The cyber attack reportedly involved ransomware and has resulted in patients being diverted in some cases to other hospitals in the area.  The network at the hospital has reportedly been offline to some degree for almost a week now.  Although the hospital reports that patient care has been unaffected (for obvious liability reasons), it’s hard to imagine how that isn’t the case when lab results are being faxed rather than emailed and much historical patient record data is currently unavailable to care providers.  The attackers are reportedly asking for $3.6 million, an amount relatively unheard of for a ransomware attack.  The hospital was reportedly impacted starting on February 5th and resumed normal operations 10 days later.  The hospital ended up paying $17,000 to the attackers in the interests of restoring it's "administrative functions."

At Rendition Infosec, we’ve helped a number of companies deal with ransomware attacks over the last couple of years.  These attacks cause significant stress for victims who have to figure out how to deal with an overall lack of access to their data.  Ransom payments are almost always demanded in bitcoin and even when the procurement departments are ready to pay, accounts payable often simply doesn’t know how to pay in bitcoin.  Of course Rendition helps customers navigate the process of paying to get decryption keys for their files.  As much as I enjoy helping clients through the process and getting them back on their feet, we shouldn’t have to.

Clients with good backups never need to deal with any ransom demands, they simply restore from backup.  Sure the ransomware attack is a pain, but it doesn’t elevate to the level of a potentially career altering event.  Note however that I said good backups.  Almost every organization has backups of some of their data.  How much they have backed up and how current the backups are separate organizations between those who have a recoverable incident and those who are truly be impacted by the event.

A good disaster recovery (DR) plan will ensure that an organization can weather the storm of a ransomware attack.  Those with good DR plans regularly test restoring their backups to ensure that these organizations really have what they think they have. 

Working with one organization a few years ago, Rendition found that the company only had partial backups for its critical email servers.  As the email server cluster had grown and accounts had been migrated from one server to another, backups were missed.  Backups were present for most users, except those with a last name beginning with ‘H’ and ‘T’.  Luckily we found this before there was an issue, but only because we were exercising the DR plan.  Simply pencil whipping an exercise concerning the DR plan won’t be enough to save you in one of these cases.

If you don’t have a good DR plan (or you aren’t sure), work with an expert to construct one.  Failing at DR is truly a career limiting move, and one you definitely don’t want to make.  If you think your DR plan is good, but you aren’t currently exercising it, start today to make sure that you really have the protection you think you do.  You definitely don’t want to find out during an emergency that your backups are ineffective.

Back to Hollywood Presbyterian… I believe that their IT management thought they had good backups.  No business would knowingly use bad backups in this day an age.  But obviously there was an issue somewhere that prevented them from using their backups effectively.  If they could just reboot and begin using their backups, they’d be doing so.  The fact that they aren’t speaks volumes about their inability to do so.  It seems almost certain at this point that they lacked a well exercised DR plan.  If you are in any industry, but health care in particular, you should be asking yourself how well your organization would be able to respond to such a cyber attack.  If you can’t say with certainty you would weather the storm unscathed, it’s probably time for professional help with your DR plan.