3 Lessons A Healthcare IT Director Wishes He Knew (Before He Got Hacked)

stethoscope and heart graphic

Jamion Aden has never strayed far from Cozad, Nebraska. It’s where he grew up, where he went to school, where he got his first job out of college (coincidentally, right next door to his college), and today, it’s where he oversees IT at Cozad Community Health System—he’s the IT Director and the Director of Rural Health Clinics.

Jamion has found his career footing in the place he’s called home for many years. Today, he’s committed to keeping Cozad Community Health System’s IT running smoothly and without security breaches. As all IT professionals know, however, getting hacked is never a matter of if; it’s a matter of when.

This is the story of how a hacker found their way into Cozad Health’s network, how Jamion tackled the issue, and the important lessons he learned along the way.

Finding his way to Cozad Community Health System

But first, some background on Jamion. After completing his post-secondary education in Information Technology and Electronics Technology, he landed his first job as a network engineer for a telecommunications company where he had completed a work/study program while in school.

After leaving his hometown to work briefly as a systems analyst at a publishing company, and then as a network engineer for a retail company, he found his way back to Cozad after the CEO of Cozad Community Health System reached out to ask if he was interested in a new opportunity.

Now, he’s been at Cozad Community Health System for almost three years. It’s a small organization, and together Jamion and his two employees are responsible for everything IT—from managing the helpdesk, to keeping patient data safe, to protecting the organization from security breaches. One night, however, that last point was tested.

The attack

It started in the middle of the night: 12:30 am, to be precise. One of Jamion’s team members called him, saying that he had gotten a phone call from one of Cozad Health’s ER nurses. The nurse was trying to discharge a patient, but couldn’t print the form they needed. After logging in to the system, Jamion’s employee realized something wasn’t right.

Together, they started investigating and saw that there was a Ryuk attack occurring on one of their servers (for the uninitiated, Ryuk is a form of ransomware that attempts to block system access until a “ransom” is paid). While his employee shut down all 50 servers, Jamion got to work blocking all connections to the sub-net. Thankfully, no patient health information (PHI) was affected.

As Jamion describes it, it was a blessing in disguise that printers were affected first. It was an obvious sign that something was wrong, and it happened soon enough after the attack occurred that Jamion and his team could get to work shutting everything down before too many things were affected—all told, less than 15 minutes elapsed between the beginning of the attack and Jamion’s team being notified that something was wrong.

Even so, there was still damage to address. Of the 50 servers, 20 were affected and had to be rebuilt. Of course, being part of a healthcare system, Jamion’s biggest concern was protecting patient data. Thankfully, the company’s electronic medical record system is housed offline, outside of the network. Jamion was also concerned about whether other sensitive corporate information that was housed on network servers was affected. In another stroke of luck, those servers were not among any of the ones that were affected.

One of the biggest things that saved Cozad Health against this attack was the fact that the entire sub-net was running on a VMware environment. This allowed Jamion and his team to boot each server up one by one without connecting the network and opening their data up to more vulnerabilities.

Doing damage control

The entire process of taking everything offline, launching an investigation, and assessing the damage done didn’t take long. Jamion was notified about the security breach at 12:30 am, and by 7:00 am, everything had been shut down and was being combed through. “With Ryuk, you can actually tell where it starts to affect your files,” says Jamion. “[The ransomware] will go into the program files, so we just had to start looking for modified dates on those files.” Jamion and his team kept an eye out for recently modified files that should not have been touched for a few months—the tip-off that those files had been affected.

Once everything was accounted for and under control, Jamion’s team got to work on two important things. The first was switching to a new anti-virus protection provider. “We found out that the definitions we were getting from them were not blocking Ryuk,” says Jamion, “Which is how we got into this situation.”

The second thing was implementing Zix for email filtering, which was especially important as it seemed that Ryuk had gotten in through a phishing email. “Overall, we wanted to make it fool proof for our end users,” says Jamion. “We didn’t want anyone worrying about what they were clicking on, and we wanted people to feel assured and safe.”

Overall, Jamion is proud of how quickly he and his team got to work and were able to save Cozad Community Health System from a major attack. However, as with all security breaches, this crisis came with some hard-won lessons for Jamion.

Lesson #1: Have a mediation plan in place

Again, when it comes to cyber security, it’s never a question of if an attempted hack will occur, but when. “You should always have a backup plan in place,” says Jamion. “And a backup plan to your backup plan.” This means regularly checking that your backup solutions are working and that you also have offsite backups in place. “You can never have too many,” says Jamion.

Lesson #2: Have a good backup structure in place for business data

As mentioned, although patient data was left untouched due to being kept offline, there was sensitive business data that was affected during this attack. In fact, from just one server, three months’ worth of data were rendered unrecoverable. There’s no substitute for work like that being lost, and having this attack happen drove that point home for Jamion. Now, it’s more of a priority than ever for Jamion and his team to offer backup solutions to every piece of data housed on network servers.

Lesson #3: Keep your  malware definitions up to date

Before this attack occurred, Jamion’s team was using a different anti-virus software than what they use today. That software’s virus definitions were not blocking Ryuk attacks, which is how an attack occurred. One of the anti-virus solutions that Jamion’s team switched to in the wake of the attack is an AI platform that is constantly learning and  and has proven to protect against both known and zero-day attacks.

“Since we’ve implemented that software, we’ve had zero issues,” says Jamion. Though they have the advantage of AI, keeping safe is also a matter of staying informed. “We’re constantly looking for what the next ransomware is going to be,” says Jamion. “We also rely on third-party companies to investigate that for us. Zix does a great job of making sure the rules and definitions are up to date, and it catches a ton of stuff that we wouldn’t have caught on our own.”

Overall, keeping an organization safe from hackers is tireless work, and there will always be lessons to learn. Though getting hacked was a stressful situation, it also prompted Jamion and his team to make changes that ended up keeping Cozad Community Health System safer in the long run. In the meantime, Jamion and his team won’t let their guard down, though. They learned some valuable lessons, and now you can too.