MedStar Health's attempt to hide the type of attack that knocked its systems offline for the last few days in all likelihood informed the world of exactly what it was trying to hide: It was a ransomware attack.
There has already been a great deal of circumstantial evidence that points to ransomware as the cause. Several other healthcare organizations have had their data held hostage lately and a report in the Washington Post stated MedStar staff have seen a ransom note appear on Medstar computer screens.
“MedStar's response is consistent with a ransomware infection,” Igor Baikalov, chief scientist at Securonix, told SCMagazine.com via email Wednesday. "If even some of the critical systems have been affected and the data encrypted before the systems were taken down to contain the infection, full and timely restoration might be problematic."
Baikalov added that institutional embarrassment is also a reason some firms remain mum.
“Healthcare organizations that don't have adequate anti-virus defenses to protect against ransomware are unlikely to have a vastly higher level of backup discipline and other disaster recovery capabilities,” he said, adding this could result in a payoff taking place to restore the data, which no company would want to admit.
MedStar reported on Monday that a cyberattack crippled its computer systems forcing the healthcare provider – which operates 10 hospitals and numerous outpatient facilities in the Washington, D.C.-Maryland region – to shut down its network so the problem would not spread. Forty-eight hours after the attack, the company was slowly bringing its system back online, it reported.
Even though the cat is out of the bag concerning the type of attack, infosec pros said it is normal for a victimized company to keep the type of attack on the QT, and many cited several solid reasons for a company like MedStar to use this strategy.
“It's not uncommon for companies to wait until they have fully investigated the cause and nature of a breach," said Dana Simberkoff, chief compliance and risk officer for AvePoint. "This ensures that they have addressed and taken required remedial action before fully disclosing information about specific circumstances."
Going into a quiet period also gives MedStar the time to figure out exactly how the attack happened and the full extent of the damage, Brian Contos, vice president and chief security strategist for Securonix, told SCMagazine.com in an email.
“They also might have found enough information to track down the attackers, so they don't what to share exact details until law enforcement has made an arrest,” Contos added.
The final reason cited is that MedStar is under no legal obligation to divulge anything to the public regarding the attack. In fact, doing so could simply encourage future attacks.
“There are no laws or regulations which require a compromised organization to disclose the specific type of attack they incurred," Travis Smith, Tripwire's senior security research engineer, told SCMagazine.com in an email Wednesday. "An organization may see disclosing details of a successful attack as disclosing private information, which may aide attackers in the future.”