Ransomware Meets Vendor Risk Management and Creates a Disaster

A Wisconsin based cloud provider that hosts software for nursing homes and other healthcare providers was hit by a ransomware attack, making those medical records unavailable to those healthcare professionals. The owner of the IT company says this attack may cause her to lose her business and even worse, could result in nursing home residents dying.

While most of us don’t have to deal with the second result (even though doctors and hospitals do), we hear of businesses shutting down as a result of cyber attacks on a too frequent basis.

Milwaukee, Wisc. based Virtual Care Provider Inc. (VCPI) provides IT consulting, Internet access, data storage and security services to some 110 nursing homes and acute-care facilities in 45 states. All told, VCPI is responsible for maintaining approximately 80,000 computers and servers that assist those facilities.

At around 1:30 AM on November 17th, the company was hit by a ransomware attack. The attackers are asking for $14 million in ransom.

The attack has taken out email, billing, phones and even the company’s own systems, like payroll.

VCPI said that some of its customers may be forced to close if they can’t order drugs and deal with other things necessary to keep their facilities safe and take care of patients. Source: Brian Krebs

So what is the message here?

Backups are critical, for sure, and you need to make sure that you are really backing up EVERYTHING.

But while backups are important, you need to restore backups frequently to make sure that you are really backing up what you think you are backing up and that the backup process is working. And, those backups need to be offline. Some of mine are in a bank vault and that vault is NOT connected to the Internet.

What people often forget, however, is how long it will take to restore. “Mean time to restore” is what we call it. If it is going to take you a week or a month to restore, then you are going to pay that ransom. The restore time requirement is likely different for different systems. You may need phones restored in an hour, but your archive of old documents could be down for a week. The NotPetya attack a few years ago infected entire companies in 90 seconds-including the disaster site, so plan for the case when EVERYTHING turns to toast. Burnt toast at that.

You not only need to worry about this for yourselves, but also for any providers that are important. If you outsource your payroll and they get hit by ransomware the day before payroll gets submitted, will your employees get paid? If your web site goes down for a week do your customers even know if you are still in business. If you use a cloud based system to run your warehouse and ship a product and you can’t get to it, can you ship? If your business is information like, say, the mortgage business, and you can’t get to any of those loan applications, now what?

If you have anything that needs to be online all the time and you outsource it, you need to make sure that vendor has a good backup plan.

By the way, if they have a second (disaster) site and it is connected to the first site, when that site gets hit by a ransomware attack, guess what happens to the second site. Yup. They need a plan B.

I hate to keep harping on this but given the frequency and severity of attacks we are seeing and the results, people have not fixed the problem yet. Plan now cause it gets really ugly later.