After a thorough investigation into the late August cyberattack on the Appalachian Regional Healthcare (ARH) system, findings from independent computer forensic experts as well federal authorities have determined that no ARH patient or employee health or financial information was compromised in the attack.
According to Mainstream Security (MS), the expert digital forensic team contracted to provide incident response and forensic investigation services during the incident, the ransomware incident that occurred on August 27 and kept the ARH computer system down for nearly two weeks was identified through a combined forensics analysis by Mainstream Security, the United States Department of Homeland Security and the Federal Bureau of Investigation as a new malware that had not been previously observed by the DHS or the FBI.
The investigation determined that the malware which was used in the attack on ARH was designed to affect only computers that run on the Windows operating system. Mainstream Security says the malware was only able to access files on one ARH test server used to test certain software programs before they are rolled out to ARH’s hospital locations. This test server did not house any health or personal information for ARH patients or employees.
According to Mainstream Security’s findings, the malware did not gain access to information on computers on the ARH network, which do not run on the Windows operating system, and no personal or protected health information (PHI) was accessed on those computers throughout ARH’s locations in eastern Kentucky and southern West Virginia.
The Mainstream Security team says that based on all factors they used in the investigation, “it is reasonable to conclude that no ARH PHI was acquired or viewed by the threat actors. Issues that caused the attack to be successful have been remediated and the threat actors no longer have access to the system. MS determined that there was no malware implanted that would allow future access. The threat actors only had access one day before the discovery and that access was only to a very limited set of files and none of these files included PHI of ARH.”
As the health system continues to move forward tighter security measures are in place, and ARH has contracted with SDG Blue, an experienced IT security organization with a focus on the recent Office of Civil Rights (OCR) Phase II HIPAA audits. SDG Blue will be completing annual HIPAA Security Risk Assessments, periodic firewall penetration testing, and upgrades to all the layers of security protection engineered to forestall threats and exposures in the internet of today.
“In this electronic age in which we operate, these types of occurrences are unfortunately becoming increasingly sophisticated, and no company – large or small – is fully immune. Thanks to the swift response of our ARH Information Technology team, this malware was quickly detected, and as a safeguard all ARH computers and web-based services were immediately shut down and remained down until we could fully investigate the nature and source of the attack,” ARH President and CEO Joe Grossman said. “We are proud of the manner in which our team handled this incident as well as the dedication and teamwork that was shown by our employees working throughout our ARH facilities as they rose to the occasion and demonstrated just how resilient our healthcare team can be no matter what challenge may come our way.”
Appalachian Regional Healthcare (ARH), is a not-for-profit health system operating 11 hospitals, multi-specialty physician practices, home health agencies, home medical equipment stores and retail pharmacies in Kentucky and West Virginia.