Ransomware Attack Revisited and Lessons Learned 

A ransomware attack can shut down an organization’s ability to function. And when that organization is a hospital, protected health information can be compromised and lives can be at risk. But an attack doesn’t have to be devastating. 

Hancock Health, a 20-plus location independent health system in Indiana, experienced a ransomware attack in 2018 and, with assistance from its cybersecurity provider and legal counsel, was able to navigate the cyberattack with minimal harm. In a recent webinar, Steve Long, CEO at Hancock Health, and Ron Pelletier, Founder and Chief Customer Officer at Pondurance, discussed what happened before, during, and after the incident and offered lessons learned for future cyber resilience. 

The initial attack

Hancock Health was preparing for a winter storm on a Thursday in January, just before a holiday weekend. That night, Steve received a text explaining that messages had appeared on the hospital computers indicating that the system had been encrypted by SamSam ransomware. 

The organization was “averagely prepared” for a cyber incident. Hancock Health received the Most Wired award three times in a row for excellence in healthcare IT, maintained a comprehensive privacy program and cybersecurity program, and had an incident response plan in place that focused on patient safety, patient data security, and restoration. The organization quickly activated the incident response plan. 

First, Hancock Health shut down all network and desktop systems, including the manual shutdown of 1,200 devices, and posted signs for employees to stay off the network. In hindsight, Steve and Ron suggested that it’s not always a good idea to shut down every computer during a ransomware attack. 

“There’s always a lot of forensic evidence, very valuable evidence, that can remain behind with a powered-on machine,” said Ron. Today, the incident response plan provides guidance to keep the systems up and running during a cyber incident.

Next, executive leadership members established an incident command center and began notifying people of the situation. They needed to contact the board of directors and call off all nonessential employees. However, they lacked access to their files and could not use the company email. Fortunately, Hancock Health used BoardEffect, an internet-based communications solution, so Steve was able to contact the board members using that service. The organization also used messaging platforms Diagnotes and Live Process to communicate with employees, though many employees used their work emails as the preferred contact method. The team had to locate employee cell phone numbers to contact those employees.

The leadership team contacted key parties including Hall Render, legal counsel for Hancock Health. The attorney instructed the team to call the FBI for advice and engaged cybersecurity provider Pondurance to initate a forensics investigation. Team members also contacted their cyber liability insurance provider but were unable to talk with someone there. When the insurance provider called back, he instructed Hancock Health not to use Hall Render and Pondurance because they were not impaneled. However, because the investigation was ongoing, the provider allowed it.

Throughout the incident, patient care continued. Hancock Health had to ensure that patient-faced equipment was not affected, briefly divert emergency room (ER) care until processes were established and stabilized, and convert the staff to paper documentation. 

“We never stopped being a hospital,” said Steve. “We were a hospital the entire time. Babies were born, surgeries were done, and ER visits were completed because hospitals are not computers. They are people taking care of people.”

Forensic investigation

A forensics investigation involves four stages: identification, containment, eradication, and remediation. In the identification stage, the Pondurance team determined how the threat actors got in the network, what they were doing, and how long they were there, primarily because Hancock Health had an abundance of logs to review. The team could see which emails were opened, what the threat actors viewed, and even what they hovered over or clicked on. 

Since a ransomware attack can trigger state and federal privacy laws, including HIPAA, it was important for Hancock Health to determine based on forensic evidence whether a breach happened in violation of the law. Using the logs, Pondurance positively determined there was zero exfiltration of data, meaning the data remained inside the system the entire time, and no violation occurred. 

The containment stage is where many victims of cyberattacks get into trouble. Often, organizations want to move directly to restoration to get the business running again. But an organization must fix the hole in the system that allowed the threat actors to gain access. Without containment, the threat actors can walk right back in. Pondurance identified how the threat actors got in, fixed the vulnerability to contain the network, eradicated the threat actors, and only then worked toward remediation. 

Ransom payment

The threat actors provided specific directions on how to pay the ransom demand. The organization could either purchase the decryption keys and decrypt the system or not purchase the keys and restore from backup. To pay or not to pay? 

At the time, Steve was unclear if Hancock Health had backups. But even if they existed, he knew it would take days to perform the backups. The hospital would lose $1.5 million to $2 million per day during backups, so the leadership team decided to pay the ransom. When paying a ransom to a threat actor, an organization is always concerned about the possibility that the threat actor won’t deliver even if the ransom payment is made. However, the FBI explained that it all depends on the “integrity” of the threat actor. Of course, an organization can never completely trust a threat actor, but this particular threat actor had a reputation of delivering the keys upon payment.

The payment required bitcoin, which meant, in 2018, Hancock Health had to purchase bitcoin through a bank. Since it was a holiday weekend, team members had to complete the transaction by end of day Friday. Otherwise, they couldn’t pay the ransom until Tuesday. Hancock Health secured the bitcoin at 4:45 p.m. that afternoon and precisely followed the directions for payment. Early Saturday morning, Hancock Health received the decryption keys — 1,400 keys, to be exact, because there were 1,400 devices that each required a separate key. The Pondurance team made sure that each key was viable and nothing malicious was placed on the system.

The ransom amount was four bitcoins at $14,000 each for a total of $56,000 — a small amount compared with ransom payments for the healthcare industry today. In 2024, the average healthcare ransom payment was $900,000, and Change Healthcare paid the largest ransom of $22 million that year, according to The HIPAA Journal.

“I’m not going to say never pay the ransom,” said Ron. “You may not have a choice when there’s a lot at stake. Steve went through the risk analysis. You determine that this is the best course of action — we’re going to get these keys back, we’re going to get things in order, get back in business. So that’s what was done. But certainly, today might be a little bit different in terms of the amounts.”

Cyber resilience

Following the attack, Hancock Health partnered with Pondurance for its managed detection and response services to rapidly detect and respond to threats. Pondurance offers an advanced technology platform integrated with SentinelOne endpoint detection and response, has a 24/7 U.S.-based security operations center (SOC), and provides vulnerability management service. Together, Hancock Health and Pondurance debriefed on lessons learned, identified and implemented the next steps needed to proactively reduce incidents, updated the incident response plan, and took a holistic approach to minimize potential harms. They wanted to make a strategic, dynamic, and ongoing effort to avoid risk, prevent actions, and respond to threats.

In particular, they evaluated the attack surface, vulnerabilities, and proactive capabilities to reduce incident risks. These measures included:

• Conducting an enterprisewide risk analysis

• Developing and implementing a remediation plan

• Regularly updating and patching software and systems

• Implementing multifactor authentication

• Employing a vendor management program

• Performing annual penetration testing

• Conducting annual workforce training

Steve stressed that the team is the key to a successful cyber response: “You need to have people who say, ‘this is a period of time where we need to devote ourselves wholly to this place.’ We did not go to sleep for, I think, about 50 hours during this. You have to be dedicated. You have to be selfless. … You have to be honest because, if you’re not honest, you do not make it through this. And you have to have a great partner like Pondurance.”

Lesson learned: The key to cyber success is a team that’s dedicated, selfless, and honest.

Always a new threat

The cyber environment is constantly evolving, and a well-prepared organization is one that can readily respond. So, in May 2023, when the electronic medical record suddenly became unavailable and the cloud hosting service indicated an interruption in service, Hancock Health was prepared to respond. The team traced the issue to an attempted loading of Cobalt Strike onto the cloud network via a hospital computer. The SEO poisoning attack was initiated via Gootkit installation when an experienced department director downloaded an online file from a supposedly legitimate source.

The work done to harden the defenses from the 2018 ransomware attack allowed the team to identify and intervene much more quickly this time. The entire incident lasted only 36 hours with no exfiltration, loss of control, or ransom demand, and downtime was limited only to the electronic medical records. 

“That’s resilience,” said Ron. “Resilience is not prevention. You want to be able to prevent, but you have to be prepared to respond. You have to have the right things in place to be able to see what’s going on so that you can take dynamic action and response to be able to thwart it and take it away.”

Lastly, Steve recalled that Hancock Health was averagely prepared for a cyber incident in 2018, having taken all the typical cybersecurity measures. After experiencing the latest threat in 2023, he believes the amount of money it costs to be very well prepared is not that much more and is well worth it. Steve encourages companies in healthcare and all industries to take similar actions to stay resilient against a potential cyberattack.

Conclusion

Hancock Health has experienced its fair share of firsthand cyberattacks. However, the organization has turned those negative experiences into lessons learned for a more resilient cyber posture moving forward. Hear the full story as Steve and Ron revisit the attacks and share the valuable lessons learned. Watch the webinar.

Ready to strengthen your cybersecurity strategy? Download our playbook for essential insights and actionable steps to enhance your organization's defenses. Get the Playbook Now!

About Our Contributors: Steve Long and Ron Pelletier

Steve Long: Steve Long is the President & CEO of Hancock Health in Greenfield, Indiana. With over 30 years of experience as a healthcare executive, Steve has held leadership roles in a diverse array of hospital settings, including for-profit and not-for-profit institutions, academic medical centers, large hospital systems, independent community hospitals, and military hospitals. His extensive career includes key positions at notable organizations such as the University of Iowa Healthcare, MD Anderson Cancer Center in Texas, and Aurora Healthcare in Wisconsin.

Ron Pelletier: Ron Pelletier is the original Founder of Pondurance, having started the company from his basement in 2008. Ron has over 25 years of cyber security advisory experience. He started his career as an officer in the US Army, followed by nine years with Big Four firm, EY. As a strong consensus builder and customer advocate, Ron is focused on evangelizing the Pondurance brand as well as customer success.