Alabama hospital system DCH pays to restore systems after ransomware attack

The health system, which had been forced to shift operations into manual mode, using paper copies in place of digital records, purchased a decryption key from the hackers for an undisclosed sum.
By Nathan Eddy
11:35 AM

The Alabama hospital group DCH Health Systems has paid an undisclosed sum to the attackers who perpetrated a ransomware attack on its three hospitals in Tuscaloosa, Fayette and Northport, according to media reports.

DCH spokesman Brad Fisher was quoted in The Tuscaloosa News, as saying the hospital system paid the attackers and had gotten the key to unlock the targeted files, though Fisher did not say how much the health system had paid.

"This included purchasing a decryption key from the attackers to expedite system recovery and help ensure patient safety," Fisher said. "For ongoing security reasons, we will be keeping confidential specific details about the investigation and our coordination with the attacker."

WHY IT MATTERS
The ransomware attack on the DCH computer network was carried out on Oct. 1 and involved Ryuk ransomware code, a malware that contains several bugs, resulting in damage about one in every eight files that it encrypts.

Following the attack, DCH was closed to all new patients except the most critical cases, while the organization dealt with the aftermath of the attack, which involved an unknown individual who used the malicious software to encrypt files and restrict access to computer systems.

The attack forced medical staff to shift operations into manual mode, using paper copies in place of digital records while DCH implemented emergency procedures engaging independent IT security and forensics experts as well as local law enforcement officials.

On Saturday, October 5, DCH released an updated statement noting the start of a "methodical process of system restoration," and the successful completion of a test decryption of multiple servers.

The organization also noted the "time-intensive" nature of the process, stating a specific recovery timetable was not possible – it mentioned however a sequential plan currently underway to "decrypt, test and bring systems online one-by-one."

The process, which will involve DCH's thousands of computers across the network, will prioritize primary operating systems and essential functions for emergency care, health system officials said.

THE LARGER TREND
It was the second recent attack targeting Alabama health systems: On September 30, University of Alabama at Birmingham Medicine had to notify nearly 20,000 patients that in August, criminal hackers gained access to certain employee email accounts containing patient information.

In that case, the hackers sent an authentic-looking business survey request email to employees, which served as the point of entry for the phishing attack.

The resulting investigation, which involved cybersecurity firm Kroll, determined the cybercriminals attempted to divert employees' automatic payroll deposits to an account controlled by the hackers.

Meanwhile, the FDA issued an alert last Tuesday concerning the cyber vulnerability, known as URGENT/11, which threatens medical devices and networks – the U.S. Department of Homeland Security has been aware of the URGENT/11 vulnerability since July.

Globally, recent cyber-attacks exposed severe security flaws in several Australian health systems, though so far there has been no indication the hackers were able to access personal patient information.

ON THE RECORD
Restoring DCH's systems "will be a deliberate progression that will prioritize primary operating systems and essential functions for emergency care," according to its Oct. 5 statement.

"We cannot provide a specific timetable at this time, but our teams continue to work around the clock to restore normal hospital operations, as we incrementally bring system components back online across our medical centers," DCH officials said.

"We expect to be making additional announcements in the coming days, as key systems are restored and more patient services resume.  Meanwhile, we are grateful for the dedication and professionalism of our staff, as they continue using our emergency downtime procedures to provide safe and patient-centered care."

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209