Last month, most likely in the early morning hours of Sept. 22, Finger Lakes Health was the victim of an unspecified “cyber incident.” “Suspicious activity” was detected in the organization’s computer network, according to Lara Turbide, vice president of community services, which prompted an “immediate” and “rapid” response from the Information Services team. The response, in the language of the trade, was to “reduce connectivity.”
“We shut ourselves down,” Turbide says, which effectively prevented the suspicious activity from continuing to occur and spread.
Finger Lakes Health reports that patient services – medical treatment and care – were not interrupted during this time. However, with the network offline, medical departments needed to rely on an “alternative workflow” to continue providing those services: pen, paper and physical records. This self-imposed inconvenience allowed the IS team to selectively turn the network back on, one part at a time. Which is not a quick process.
Patients and providers trying to access their information and data through Finger Lakes Health’s online patient portal may have experienced difficulties doing so as long as a week after the event. Patients and providers might still experience trouble as the recovery continues.
“This is not exactly a linear process,” says Turbide.”It’s not like all the switches are on or all the switches are off.”
Finger Lakes Health reports that there is currently no indication that any patient, resident, employee or student data was subject to unauthorized access. The September incident has been reported to both the New York State Department of Health and the Federal Bureau of Investigation. Because this incident is now under investigation, the information she can share is limited. Turbide says, “This certainly has become a more common occurrence than any of us would like,” she says.
It was just 18 months ago, in March 2018, that Finger Lakes Health suffered a ransomware attack that not only locked down the data on its computer network but also took out the organization’s email, internet, phone service and other “electronic systems.” Because the criminal investigation into that event is also on-going, Finger Lakes Health has again declined to provide any information that might be known about the malware used or who the attackers were.
And yet that’s the lingering question: Who would be interested in attacking hospitals, governments, schools or any other entity here in the Finger Lakes? In the case of the 2017 ransomware attack on Schuyler County, we know that the SamSam variant was used and that the creators of that malicious software were from Iran.
Which certainly seems strange, almost impossible, to believe: Why would Iranians or Russians or any other foreign actor want to target rural New York?
According to Matthew Wright, Director of the Center for Cybersecurity at Rochester Institute of Technology, attackers don’t really care about Schuyler or Yates County in particular; it’s just business.
“Any entity on the internet is a potential target,” says Wright. There are plenty of small towns all across the U.S., Canada and Europe that could have enough money to pay a ransom, making them worthwhile targets.
Wright lays out a hypothetical scenario for how this purely transactional and impersonal extortion might be carried out: Most of these cyberattacks come from larger organizations, with an office full of people working different lists of targets.
The organization likely has a whole suite of different malware they use, as well as a collection of different pre-written emails they send out to targets. An employee in this organization might show up for work one day and be assigned towns and counties in New York. The employee turns on his computer and pulls up a Google map of the state. He does a Google search to see which municipalities fit a certain profile for demographics and finances. The employee gathers names and email addresses for people working in those local governments (again, just a Google search), and starts blasting out dozens of emails with malicious attachments and links. If someone falls for the trick, great — the employee can check that target off his list between sips of coffee. If not, oh well — the same attack has been launched against other targets and somebody else might be fooled.
This approach to extorting money through ransomware is really no different than the same sort of scam that might happen through your physical mailbox: Some bad actor sends out letters to a whole bunch of street addresses saying, “Your house title is under court action and you need to send $5,000 to me right away, or else your title will be forfeit!” Ninety-nine people who receive the letter might tear it up. But if just one person believes it, the criminal has made $5,000.
“In this case, because of the connected nature of the internet and because all of the computers – all of the important systems that you would use to operate your county or your town – are all online, now the consequences go up quite a bit,” says Wright. “The one person that would have sent the $5,000 opens up an attachment and the entire city’s computing infrastructure, large portions of important documents and databases, gets encrypted and are unusable all of a sudden.”
“Let’s face it, that’s where your weakest link is: the person behind the computer,” says Tim Groth, the director of Information Technology for Yates County. He’s not being accusatory; it’s just a fact. The history of hacking in the computer age is equal parts technical know-how and social engineering: gaming humans into giving up the private information needed to access their machines.
Groth says Yates County has the appropriate technical defenses in place: the firewalls, the anti-virus software, the monitoring services. The county also maintains multiple backups – the one thing that both experts and victims agree is essential to successfully recovering from a cyberattack. Like Schuyler County, many of the departments in Yates County also use cloud-based computing and wouldn’t be impacted significantly by a local attack; the Board of Elections and Emergency Services also have their own, separate computer systems.
Winona Flynn, acting administrator and treasurer for Yates County, says the county has insurance to cover cybersecurity incidents. The clerk’s office for the county legislature confirmed that this insurance covers “breach response,” including services to certify whether or not data had been stolen. While declining to provide specific dollar amounts, the clerk’s office also stated that the coverage would be enough to cover the potential costs involved with responding to an actual breach.
When asked if the county has a specific policy about whether or not it would pay a ransom, Flynn declines to answer. “I don’t think we want to say that,” she says. “I just don’t want us vulnerable in any way.”
In addition to the technical and financial protections that are in place, Groth regularly trains Yates County staff on what a potential email attack might look like and how to respond. He strategically sends out fake phishing emails to see if staff can spot and handle them appropriately. He has plans to increase and vary these sorts of tests. Groth says after two years he has definitely seen a change in behaviors: calls to the help desk regarding suspicious emails have increased and clicks on suspicious files and links have decreased.
When asked if there are employees who repeatedly fail the tests, Groth admits that there are. “There are a few that will get caught time and time again,” he says. “What we do at that point is offer additional training. And that’s about all we can do is keep on teaching, just keep on showing.”
Groth says for every 100 emails that are allowed through the network’s filters, another 150 emails are blocked as potential threats. And yet some of the “nefarious stuff” still gets through. Groth can fine tune these filters to be more or less restrictive, but it’s a balancing act. Make the filters too strict, and legitimate emails get blocked and business can’t get done. Make them too permissive, and more threats will arrive in in boxes. Groth says managing the filters is an on-going process because “the bad guys are getting that much better at hiding this stuff and making it look real.”
Both Groth and Flynn lament the fact that so much time has to be spent defending against the regular threat of attacks. “I will get 150 emails a day and I’m so careful before I click on an email,” says Flynn. “And also it’s sad because we can’t trust emails coming in. It’s like they’ve already won, without even hacking in, because they’re taking so much of our time away from just doing our jobs to doing this extra work to keep us safe.”
But both also agree that this high level of caution can be justified in the same way that a fire department responding to false alarms or non-emergencies can be justified: because it takes just one time of dropping your guard for everything to go terribly wrong.