One week after being hit by ransomware, several hospitals in Alabama are recovering, though experts believe similar attacks will continue.
Hospital ransomware attacks hit three facilities that are part of the DCH Health System in Alabama on Oct. 1 and despite paying the ransom, the "methodical process of system restoration" of the thousands of affected systems continued on Monday.
"We have been using our own DCH backup files to rebuild certain system components, and we have obtained a decryption key from the attacker to restore access to locked systems," DCH wrote in an update on Saturday. "We have successfully completed a test decryption of multiple servers, and we are now executing a sequential plan to decrypt, test and bring systems online one-by-one. This will be a deliberate progression that will prioritize primary operating systems and essential functions for emergency care."
DCH spokesperson Brad Fisher told media outlets Saturday morning that the ransom was paid, but did not disclose the amount or when it was paid. DCH also did not put a timetable on how long restoration would take. As of another update on Monday, the hospital ransomware attacks were still causing the affected facilities to turn away non-critical patients.
Experts said hospitals will continue to be the focus of ransomware because they tend to be more likely to pay ransoms in order to restore operations as quickly as possible.
Shawn Kanady, director of digital forensics and incident response at Trustwave SpiderLabs, said he believes "hospitals will remain a top target for ransomware for the foreseeable future."
"Not everyone is paying, so attackers want to hit institutions or companies that are going to hurt the most because they'll be put in a position where they'll have to pay, like hospitals or city municipalities," Kanady told SearchSecurity. "Locking down vital systems in a hospital could literally mean life or death. Imagine a hospital not being able to perform emergency operations because patient records and the databases housing them are fully encrypted."
Felix Rosbach, product manager with data security company Comforte AG, based in Weisbaden, Germany, added that even if hospitals have a backup strategy in place, "the resources needed to do a complete rollback after threat actors have performed a successful ransomware attack can be higher than paying a ransom."
"While it's never a good idea to pay a ransom, hospitals depend on their infrastructure and sometimes need access to some of their systems urgently. This results in hospitals being sought-after targets for ransomware attacks -- even if those attacks are one of the most reprehensible ones," Rosbach told SearchSecurity. "Keeping that in mind, healthcare organizations are required to implement strong cybersecurity and data protection. Not only are healthcare records and PII data very sensitive, business continuity becomes a significant factor when it comes to medical treatment."
Gerrit Lansing, field CTO with Stealthbits Technologies, noted that beyond the risks to patients, hospital ransomware attacks may continue because hospitals don't have the resources to protect themselves.
"Economically-motivated crime will continue to increase, and hospitals and healthcare organizations remain prime targets," Lansing told SearchSecurity. "Many hospitals and healthcare organizations lack the resources -- namely the funding and staff -- to address these vulnerabilities with the same force as the major enterprises, which is precisely why they remain favored targets."