In the early-morning hours of Feb. 25, 2021, Terri Ripley got the call every chief information officer dreads: Her company, OrthoVirginia Inc., had been hit by a massive attack of the Ryuk ransomware that had shut down its entire computing fabric.

Although it would be 18 months before systems were fully restored, OrthoVirginia never shut down operations or abandoned patients. What it learned during the crisis is a lesson for any organization that might become an attack target. Today, that’s everyone.

Speaking at the Healthcare Information and Management Systems Society Inc.’s Healthcare Cybersecurity Forum in Boston this week, Ripley gave a blow-by-blow description of the events immediately following the attack, the critical choices that were made and how the company is insulating itself from future incidents.

OrthoVirginia is Virginia’s largest provider of orthopedic medicine and therapy, encompassing 105 orthopedic surgeons spread across the state. Its 25-person information technology organization had put cyber protections in place before the attack hit, but the pandemic was a curveball they didn’t anticipate.

“When COVID hit and we sent everybody home, some of those protections were not in place,” she said. “We put a lot of good measures in place, but we still got hit.”

System-wide shutdown

The attack took down servers, workstations, network storage and backups, but fortunately not electronic health records, which were hosted offsite. It encrypted the picture archiving and communication system that contains the X-rays vital to orthopedic surgery. The application and database needed to view the images were also hit and the internet protocol phones went down.

To make matters worse, OrthoVirginia’s chief cybersecurity expert was on vacation at the time. Knowing that ransomware attacks can be unpredictable, “we made the decision to shut everything down,” Ripley said. “That stopped the script from running so we were able to save the data files.”

Forensics would later determine that the attack was triggered by a remote worker clicking on a malicious link. The attackers were able to compromise the system administration password, tunnel through the backup files and then breach the network. “They had it very well mapped out,” Ripley said.

While the operational damage was severe, the backup data files had been preserved, meaning that most records could be successfully restored over time. But getting immediate help was a challenge. The company’s contract recovery service initially said it couldn’t have a team onsite for three weeks. That left OrthoVirginia scrambling to diagnose the situation on its own.

Damage control

Ripley contacted the company’s cyber insurance event response team to begin a forensic analysis and alerted the Federal Bureau of Investigation of the attack. Knowing that Ryuk targeted only Windows environments, the company set up an internal isolated wireless network connected to its EHR system and acquired every Chromebook it could find.

The onsite Active Directory server had been encrypted, but a backup hosted service was available. The cobbled-together network would serve as the company’s computing backbone for the next four months as services and databases were gradually restored.

“We had to be very careful as we brought things back up because of the risk that everything would be encrypted again,” Ripley said. Encrypted data was isolated in virtual machines and new ones were brought up for recovery.

There are so many unknowns during a ransomware attack that information can be a victim’s most precious resource. “Some of the community hospitals were awesome with giving us advice,” Ripley said, “but some shut their doors and didn’t want to talk to us.”

One of the biggest questions company leaders faced was whether to pay the ransom. The attackers demanded millions of dollars, but OrthoVirginia wasn’t prepared to offer more than a few thousand. During painfully drawn-out negotiation the cybercriminals sometimes went silent for days, only to return with a different set of demands. In the end, no ransom was paid.

Priorities-driven response

Throughout the ordeal, OrthoVirginia stuck to a battle plan based on priorities. Business continuity was essential, followed by access to electronic health records and images. The company made heavy use of social media and Epic Systems Corp.’s MyChart patient portal to compensate for the loss of its phone system and website.

Nightly calls with the board of directors were instituted to keep everyone on board. “You need to communicate often to the many stakeholders,” Ripley said. “Fortunately, it’s very easy to get the board to spend money after something like this.”

Ripley has been proactive about sharing her experience, including an interview with HIMSS earlier this year and constant communications with media and regulators as the crisis was remediated.

Lessons learned

With the attack now behind them and new preventive measures in place, she shared a few lessons. No. 1: “Stay calm,” she said. Ripley counseled over-stressed employees to take time off and continued to go for her run even at the height of the crisis. “Make sure the team has time to think and get the work done,” she advised.

It’s also important to be sure insurance coverage is up-to-date and that funds can be accessed promptly. The company was initially pleased to discover that its malpractice insurance policy also included cyberattack protection, but that created conflicts with its primary cyber insurance provider. “There was a lot of finger-pointing and it wasn’t till this year that we got that straightened out,” she said.

Document everything so law-enforcement officials and regulators have a complete audit trail, she added: “I can’t emphasize that enough.”

The importance of rigorous record-keeping became clear when OrthoVirginia received an inquiry from the U.S. Department of Health and Human Services Office for Civil Rights about a complaint from a patient whose X-ray results had been delayed. The company was able to establish through its documented forensics that the ransomware attack was responsible and avoid penalties.

Finally, frequent communication with stakeholders and the media is critical, Ripley said. “You can get some bad messaging going on with employees,” she said. “Your marketing and communications people should send out communications, not your IT people.”

You can never say never, but Ripley said she’s confident OrthoVirginia is in a better place today. “We were on-premises and now we’re in the cloud,” she said. “Things that used to happen in the data center don’t happen anymore.”

Photo: OrthoVirginia