NRC Health, which sells software to some of the country’s largest health care organizations, shut down its computer systems last week following a ransomware attack, the company said in a statement Thursday.
Nebraska-based NRC Health, whose clients include big health care providers like the University of Missouri Health System, collects data on patient habits that could be a prime target for cybercriminals.
Asked by CyberScoop if his company had paid a ransom to regain access to its data, Chief Information Officer Paul Cooper would only say that NRC Health had “considered all options to restore systems as quickly as possible for our customers.” The FBI and an unnamed cybersecurity company hired by NRC Health are investigating, he said in an email.
It is just the latest ransomware incident in the health care sector, where sensitive personal data abounds but the resources to secure it are stretched thin. Many of the smaller health care delivery organizations don’t have a single, full-time security professional on staff, according to Joshua Corman, whose cybersecurity volunteer organization, I am the Cavalry, has studied the issue.
Despite the file-locking attack, Cooper said “there is still no evidence of unauthorized access to or acquisition of any data from our systems,” including “protected health information.” The company will finish gradually bringing its systems back online in the coming days.
Cooper did not identify the type of ransomware used in the attack, nor would he discuss the scope of the impact on NRC Health’s clients. “We are communicating directly with impacted clients.”
“Our resources are singularly dedicated to regaining full operability and investigating this matter to completion,” he said.
CNBC was first to report on the incident.
The health care sector has in recent years become more aware of the threat posed by ransomware, and has made progress in other areas such as working with researchers who uncover vulnerabilities in medical devices. But experts say more resources are needed.
In the last seventh months, for example, ransomware infections have caused a hospital system in Alabama to turn away patients and a Southern California clinic to shut down permanently.
“Neither the hospitals nor their technology suppliers are battle tested for this new normal – and the learning curve is quite steep,” Corman told CyberScoop.
To prioritize limited resources, health care and security professionals should focus on protecting devices with the biggest implications for patient safety, he said.
“We need to expect the most cybersecurity hygiene from the most depended upon products,” Corman added.