At 2 a.m. on a Sunday morning in April, Erie County Medical Center was hit with a ransomware attack that locked down the hospital’s computers and requested $44,000.
Hours later, hospital executives and security consultants elected not to pay the ransom, a decision that would require the facility to revert back to pen-and-paper charting and would take weeks to restore computer systems back to normal.
It was a relatively easy decision, ECMC officials told The Buffalo News, which outlined the hospital's blow-by-blow response to the attack. The medical center already had backups of patient files and used borrowed laptops with stripped-down connectivity to access a regional health information exchange for up-to-date patient records.
For ECMC CEO Thomas Quatroche, that response was also “about the integrity of the organization.”
“What's happening is a form of terrorism like an attack on critical infrastructure,” he told The Buffalo News. “It’s a call to action to view cybersecurity the way we do law enforcement, to raise the profile of the issue.”
The difficult part came during the weeks afterward as the hospital worked to get its system back online. Officials said most computer systems would be back to normal this week, more than six weeks after the attack. Experts have said hospitals often struggle with the decision to pay a ransom, especially considering the real-world implications of an attack.
Unlike most ransomware attacks that find a way into the hospital’s network through phishing emails, cyber extortionists used an automatic program to attack a loosely configured web server. Experts said the attackers manually searched through files a week before locking them down and demanding payment.
"This attack was in our top 10 percent in terms of sophistication, and the manual intervention with someone poking around was unusual," said Reg Harnish, chief executive officer of GreyCastle Security, which assisted the hospital in its response.
The attack happened a month before the WannaCry ransomware attack that swept across the globe, but highlighted some of the same concerns regarding cybersecurity weaknesses throughout the healthcare industry. Healthcare executives have said ransomware is a top concern in 2017, and some experts have pushed for the industry to find a solution in artificial intelligence.