6 weeks after going back to pen and paper, Buffalo hospital CEO sees ransomware attack as a call to arms

At 2 a.m. on a Sunday morning in April, Erie County Medical Center was hit with a ransomware attack that locked down the hospital’s computers and requested $44,000.

Hours later, hospital executives and security consultants elected not to pay the ransom, a decision that would require the facility to revert back to pen-and-paper charting and would take weeks to restore computer systems back to normal.

RELATED: Buffalo hospital returns to pen and paper after a virus shuts down IT systems

It was a relatively easy decision, ECMC officials told The Buffalo News, which outlined the hospital's blow-by-blow response to the attack. The medical center already had backups of patient files and used borrowed laptops with stripped-down connectivity to access a regional health information exchange for up-to-date patient records.

For ECMC CEO Thomas Quatroche, that response was also “about the integrity of the organization.”

“What's happening is a form of terrorism like an attack on critical infrastructure,” he told The Buffalo News. “It’s a call to action to view cybersecurity the way we do law enforcement, to raise the profile of the issue.”

RELATED: Should hospitals pay up following a ransomware attack? The answer is far from simple

The difficult part came during the weeks afterward as the hospital worked to get its system back online. Officials said most computer systems would be back to normal this week, more than six weeks after the attack. Experts have said hospitals often struggle with the decision to pay a ransom, especially considering the real-world implications of an attack.

Unlike most ransomware attacks that find a way into the hospital’s network through phishing emails, cyber extortionists used an automatic program to attack a loosely configured web server. Experts said the attackers manually searched through files a week before locking them down and demanding payment.

"This attack was in our top 10 percent in terms of sophistication, and the manual intervention with someone poking around was unusual," said Reg Harnish, chief executive officer of GreyCastle Security, which assisted the hospital in its response.

RELATED: After WannaCry, experts worry healthcare’s vulnerabilities will make the next ransomware attack even worse

The attack happened a month before the WannaCry ransomware attack that swept across the globe, but highlighted some of the same concerns regarding cybersecurity weaknesses throughout the healthcare industry. Healthcare executives have said ransomware is a top concern in 2017, and some experts have pushed for the industry to find a solution in artificial intelligence.