2 min read

Dickinson County health system hit with ransomware

Kapua Iao October 26, 2020

Healthcare cybersecurity news

Binary code representing digital encryption or ransomware threat

Dickinson County Health System (DCHS), with hospitals and clinics in Michigan’s Upper Peninsula and northern Wisconsin, was recently hit with ransomware. On October 17, DCHS discovered “malicious software (commonly known in the industry as ransomware)” that “disrupted access to computer systems at [its] hospitals and clinics.” Such attacks against covered entities (CEs) and business associates are all too common nowadays. RELATED: Coronavirus Cyberattacks: How to Protect Yourself

What happened?

DCHS hasn’t released an official announcement but did provide a general statement to news networks. Upon discovery of the ransomware, DCHS took immediate steps to shut down the affected system to isolate the problem. The breach is currently under investigation and until DCHS restores its computers, it will operate under contingency procedures. Nearly all patient care services (including emergency) are still functioning; staff switched to paper copies (versus digital records) in the meantime. DCHS CEO Chuck Nelson stated:

We are treating this matter with the highest priority and are responding by using industry best practices while implementing aggressive protection measures. While we investigate, our top priority is maintaining our high standards for patient care throughout our system.

At this time, DCHS believes that the threat actors have not accessed or taken any protected health information (PHI). RELATED: Is a Name PHI? While DCHS notified the proper authorities right away, the breach has not been added to the U.S. Department of Health and Human Services Office for Civil Rights’ (OCR) Breach Portal yet.

Why worry about ransomware?

Ransomware is malicious software (or malware) used to deny a victim access to a system until a ransom is paid. DCHS has not yet reported if a ransom was demanded; if there is no ransom, the malware may have been used to disrupt the system rather than hold PHI hostage. If the malware ends up being ransomware, the costs could be detrimental, not only to DCHS but to patients as well. An immediate cost is the inability to access data or computer systems; a direct cost could be exposed PHI. Furthermore, a breach could become a HIPAA violation leading to a hefty fine. RELATED: HIPAA Stands For . . . And even worse, a patient could die, as occurred to a patient in Germany after her ambulance was turned away from a hospital debilitated by a ransomware attack. Unfortunately, this DCHS attack mirrors recent breaches at Universal Health Services, Muskingum Valley Health Centers, and Ashtabula County Medical Center. RELATED: Global Surges in Ransomware Attacks in Q3 2020 Trends for 2020 show that such attacks will more than likely not stop any time soon.

How can strong email security help?

While DCHS has yet to determine how the ransomware got into its system, it was most likely from a phishing attack. Email phishing is a common method used by threat actors to trap victims into downloading malicious programs in order to spy, steal, or disrupt a system. According to Verizon’s 2020 Data Breach Investigations Report, phishing remains an enormous problem for all organizations. That is why strong email security (i.e. HIPAA compliant email), such as with Paubox Email Suite Plus, is important. RELATED: How to Make Your Email HIPAA Compliant Paubox Email Suite allows CEs to send encrypted email by default, adding no extra passwords or steps for the sender or recipient. Our Plus and Premium plans also block all types of phishing emails and protect against display name spoofing. Utilizing strong email security along with ensuring your employees are knowledgeable is necessary for all healthcare organizations. Stop malware (and ransomware) from harming you, your employees, and your patients.

Try Paubox Email Suite Plus for FREE today.

Start for free