How a physician-owned practice recovered from a ransomware incident

OrthoVirginia's chief information officer talks about the 18-month remediation process after a Ryuk ransomware incident and describes how a cybersecurity road map and training drove a more comprehensive cyber hygiene strategy.
By Andrea Fox
03:17 PM

Terri Ripley, CIO for OrthoVirginia

Photo: OrthoVirginia

About half of ransomware attacks have disrupted healthcare delivery among the largest hospitals and healthcare systems, according to a JAMA study published earlier this year. 

But at smaller and medium-sized providers, often with tighter security budgets and fewer recovery resources, such attacks can be much more than just disruptive – and can upend care processes for days or even weeks.

Two years ago, Virginia’s largest provider of orthopedic medicine and therapy, OrthoVirginia, was hit with a Ryuk ransomware attack that disabled access to workstations, imaging systems needed for scheduled surgeries, backed-up data and more.

Terri Ripley, OrthoVirginia's chief information officer, and Steve Cagle, CEO of Clearwater Security and Compliance, agreed to share the experience of recovering from the attack and talk about building OrthoVirginia's cybersecurity strategies beyond recovery.

Ripley, who has more than 30 years of health IT experience implementing health technologies – she currently designs, develops and delivers information systems for the large orthopedic practice – also has some important advice for providers struggling with cyber risk perceptions within their organizations.

"Implementing cyber hygiene practices can be challenging when the perception is that it slows down care delivery or gets in the way," said Ripley.

Q. Early on in the pandemic, OrthoVirginia experienced what you’ve called "the perfect storm" that made it possible for a cyber incident into the physician-owned practice’s network. Can you please describe the discovery of the incident, the impact ransomware had on the practice and what your team faced to recover from it?

Ripley. Absolutely. Our IT monitoring systems identified the malicious deployment of ransomware on our local network on February 25, 2021. We later learned this was an advanced Ryuk ransomware strike. 

The incident impacted our Windows servers, workstations, network storage and backups but, luckily, not our hosted [electronic health records]. When OrthoVirginia discovered the incident, it was able to stop the infiltration and prevent access to legacy data images and data files. 

Later, our forensic investigators identified that malicious reconnaissance activity began on or before February 23. 

One of the most significant impacts on our practices was the encryption of our [picture archiving and communication system], which houses all our X-rays and is a critical component of orthopedic surgery. The cybersecurity incident impacted the application and database services to view the images. 

However, there was no forensic evidence that the images themselves were accessed. And because we had only recently reopened our operation rooms post-COVID, we were in a critical place to continue the surgeries we had scheduled for our patients.

We had a really small IT team, and I have to say, I couldn’t be prouder of their response to this situation. They immediately shut down our servers to avoid any further contamination. 

I contacted our cyber insurance event response team and the FBI; all were critical as we rolled out response software, conducted forensic analysis and continued ransom negotiations. I think it’s really important to note that we did not pay the ransom. 

We spent the next 18 months in recovery from the incident. 

We established access to the EHR from inside the office via an isolated wireless network and protected bring-your-own-device access. We purchased as many Chromebooks as we could and called employees to bring their own devices, and spent the next four months working from these devices as we rebuilt virtual machines and restored application data prioritized by business units. 

We offered office hours for supporting access to the EHR and deployed an entirely new PACs system within two weeks. 

I’m pretty sure that’s unheard of, but we had established patients as the very first priority, and this is what it took to take care of them. We got really creative and pulled on every resource we could think of, but in the end, we never had to shut down patient care, and that’s what mattered most. 

Q. What was the remediation approach, and how did Clearwater help OrthoVirginia with OCR compliance?

Cagle. We came into the partnership with OrthoVirginia post-recovery of the initial incident. Terri [Ripley] knew they needed help standing up a stronger cybersecurity program and, after vetting a handful of potential vendors, selected Clearwater. 

Terri initially asked us for virtual chief information security officer services, but the more we talked, the more she realized she needed something more comprehensive, and we scoped a managed services program for her. 

While we were helping OrthoVirginia establish a cybersecurity road map, tabletop exercises and a comprehensive risk analysis, they received an investigation letter and data request from [Office of Civil Rights] related to an individual’s right of access to obtain patient’s images that were temporarily unavailable due to the ransomware incident. 

OCR’s investigation was comprehensive, since it focused on not just the access request, but also the ransomware incident. Terri felt confident that what happened at OrthoVirginia didn’t violate any of the HIPAA rules, and didn’t constitute a breach of [electronic patient health information], and asked for our help in responding to the investigation letter.

Our team has a lot of experience with OCR, so we helped Terri articulate the findings of OrthoVirginia’s forensic investigation, the controls that were in place at the time of the incident and actions taken immediately following the discovery, which allowed them to successfully respond to the OCR’s investigation letter, initial data request and subsequent requests for additional information. 

Q. Once the remediation plan was rolling, what were your next steps to fortify the practice’s attack surfaces from future incidents?

Ripley. That’s when we called Clearwater. I am so proud of our small and mighty IT team, but this was also a sign that we needed some help shoring up a more robust strategy. 

It’s easy to read headlines about other incidents and think, “but not us.” We wanted to ensure that if something like this ever happened again that we could truly say we had put up every defense to prevent it. 

We subscribe to Clearwater’s ClearAdvantage managed services program for this reason. They helped establish a comprehensive program, including program management and leadership. 

Since the incidents, we’ve added some crucial strategies, some small, like multifactor authentication and digital identity badges, and some bigger strategies like an assessment of our cybersecurity program performance, a rigorous risk analysis, technical testing and executive tabletop exercises. It’s all part of a larger strategy that helps us do more with our small team.

Q. What are your recommendations for providers that are struggling to implement recommended cyber hygiene practices?

Ripley. I think you have to start with a shared understanding of the why.

OrthoVirginia is a physician-owned organization, so implementing cyber hygiene practices can be challenging when the perception is that it slows down care delivery or gets in the way. If we could go back in time and understand what was at stake and how much a cyber incident would affect our organization, I think we would have had a better consensus for making some of these changes.

Cagle. I agree with Terri, and I’ll add that communicating effectively with your board of directors is critical to securing not only the financial resources for cyber hygiene practices, but the prioritization.

You can do this in a variety of ways, from getting your CISO a spot on the next agenda to inviting your cyber insurance partner or your cybersecurity partner to speak at the next board meeting. We do this for our clients at Clearwater, because we know how important it is to communicate in terms of the business objectives and risks to the company’s equity value if the right strategies and best practices aren’t in place prior to an incident.

There truly is no healthcare organization that can’t be a target, small to big, public to private. It doesn’t matter.

Q. How can providers that follow the frameworks stay ahead of the bad actors with new waves of attacks, like smishing, vishing and QR code exploits?

Cagle. Cybercriminals have become much more sophisticated in their strategies and techniques for attacking healthcare organizations. Leveraging frameworks and following best cybersecurity practices can help organizations prevent these attacks from succeeding. 

People are the number one vector for cyberattacks, and phishing/social engineering is a top threat. It is important to train your workforce to trust nothing and no one when it comes to the digital communication they receive, which now includes voicemails, text messages and phone calls. They need to learn to operate out of skepticism, doubting anything they can’t verify as legitimate, including QR codes. 

It’s also crucial to test the effectiveness of that training with periodic phishing and social engineering exercises, where you’re sending a simulated smishing or vishing to see if/how many of your employees click or respond in ways they shouldn’t. This validates the effectiveness of your training and identifies any gaps that need to be filled.

Ripley. I’ll echo the importance of both this training and testing. This is what I mean when I say it’s so easy to think "not us." We’re naturally so trusting of the communication we receive, and attackers know it. 

They’re counting on their ability to outsmart our workforce. This is how they get into a network undetected, giving them time to find a vulnerability and exploit it. 

Teach your employees, physicians, your board, your advisors and anyone connected to your network to assume that emails, texts, voicemails, etc., are dangerous until verified otherwise. Check the source closely if it contains a link or asks for a response. 

It’s the really simple things that either protect your organization or make it an easy target.

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.