MedStar, one of the largest hospital chains in the US, crippled by cyber attack
Washington, D.C Area - March 30th, 2016 - While MedStar, the company that runs 10 hospitals in the Washington, D.C. area, has not officially confirmed it was a "ransomware" attack, employees have come forward describing messages on their computers asking for roughly $19,000 in Bitcoins, and giving the company just ten days to pay up. This situation is strikingly similar to a story from just over a month ago, when Hollywood Presbyterian Medical Center paid about $17,000 in Bitcoins to regain access to some of its systems.
Reports say that the hospitals' staffers were forced to shut down all computer systems and resort to using paper back-ups. By Tuesday evening, reports suggest that the staff could access, but not change, patient records, while other systems were still unusable. Company spokespeople have assured the public that the hospitals have continued safe operation in spite of the crisis, but doctors and nurses have pointed to the negative effects of slower than normal lab work processing, incomplete patient charts, and a lack of essential safeguards provided by the computer systems that minimize human error.
This is a situation that is likely to occur again. The systems under attack clearly don't have the security necessary to prevent this kind of infiltration, and don't have the back-ups or redundancy necessary to allow the hospitals to continue to access their data when such an attack does occur.
While we don't have any visibility into what sort of systems MedStar uses, or which ones were shut down by the hackers, this does bring up the question of cloud security versus on-premises legacy systems, whether we're talking about healthcare support systems, patient records, financial data, employee records, or any other business system and database that is essential for running hospitals, businesses, and nonprofit organizations. For years, there has been an assumption that "cloud" is somehow less secure or that keeping your data close by is more secure. Let's face it: our data and systems are nearly all connected to the internet in one way or another, so keeping your systems and data installed in a server room on your property (or even hosted in a datacenter) only makes it as secure as the protections your IT personnel can implement.
While all cloud providers are by no means equal, established enterprise-grade Software-as-a-Service (SaaS) providers have security and data integrity features once only available to the largest of enterprises, at a fraction of the cost. Some of the benefits provided by multi-tenant SaaS providers:
- Multiple fiber trunks and mirrored RAID storage
- Standby servers and redundant network components
- Redundant uninterruptable power supplies and parallel redundant generators
- Highly granular level of control over user access
- Option of requiring 2-step user verification every time a user signs on through an unrecognized device
- Enforced password changes and automatic session timeouts
- Option to set acceptable IP ranges from which users may log in
- SSAE 16 SOC1 Type II audited and PCI DSS certified
- Tightly restricted access to production data including biometric access controls
- Hardened networks and firewalls
- Real-time activity log tracking
- Automated security scanning and third party white hat penetration testing
- Virus resistance reinforced through software architecture
- Oracle database secured with advanced security
- Minimum 128-bit encryption for all data transmission
- Full daily backups to multiple locations
- Continuous backups of transaction data
- Secure streaming of transaction data to remote disaster recovery center
Even a hosted environment with your own installed applications can't provide this level of security, and businesses housing their own servers on-premises can't even come close.
We hope the latest cyber-attack will bring more and more businesses into the 21st century. Adoption of cloud applications is the best way we can hope to reverse the trend of malicious attacks on businesses.
If you'd like an assessment of your finance and accounting systems and processes, please fill out the form below and we'd be happy to contact you.