Virus Infection Prohibits Access to Patient Records
… If the “virus infection” that at least temporarily prohibited Centrelake from accessing its patient and other data was not ransomware, it’s possible that the incident involved another destructive malware, says Keith Fricke, principal consultant at tw-Security.
Taking Action … So, what can other organizations do to prevent these kinds of attacks that limit access to data? “Monitoring network activity 24×7 is a necessity and becoming the norm these days,” Fricke says. “It is a common practice to outsource that capability because it is difficult to maintain employed staff to perform the monitoring and analysis around the clock.”
Keeping security patches, end point and server protection up to date is important, Fricke adds. “Scanning your own networks regularly for vulnerabilities and addressing high risk ones before criminals find them is also a must-do.”
“Two types of malware come to mind and both are destructive,” he says. “One type could be encrypting files without the intent of collecting a ransom. The other type could be malware that deletes data, similar to the NotPetya malware seen last year.”
It’s not unusual for an organization to report, as Centrelake did, that suspicious activity commenced weeks before it lost access to its data, Fricke says. “Intruders often have unauthorized access for a while before being detected. The current metric I’ve heard recently is that attackers are in a network for about 74 days on average before being detected,” he notes. “In the Centrelake situation, it may have been that the intruder was performing reconnaissance on the network to find where information of interest was located before initiating the malware.”