UHS hospital chain hit with apparent ransomware attack
Universal Health Services, a Pennsylvania-based health system that operates about 400 facilities throughout the country and overseas, was hit with a cyberattack early Sunday.
Computer systems for UHS began to fail over the weekend, with some hospitals forced to return to documenting patient information with pen and paper, according to reporting by NBC News, which called it "potentially [the] largest in U.S. history."
UHS posted a statement on Monday morning confirming that the IT network across its facilities was down.
On Tuesday, it published a follow-up statement saying that the system had experienced an "information technology security incident," and that it had suspended user access to IT applications related to U.S. operations.
"At this time, we have no evidence that patient or employee data was accessed, copied or misused," said the statement.
UHS maintained "patient care continues to be delivered safely and effectively," although nurses told NBC that they've had difficulties with an online medication system.
WHY IT MATTERS
Although UHS did not offer details as to the specific nature of the attack, a source told NBC that the attack "looks and smells like ransomware."
If that's the case, experts told Healthcare IT News, UHS wouldn't be alone: "Ransomware, in all its pervasive forms, is associated with the majority of healthcare cyber incidents, and it is often a simple result of inadequate security training," Mike Puglia, chief strategy officer at Kaseya, said.
"Because of that inadequate security training, employees are using and reusing weak or already compromised passwords, clicking links they shouldn’t be, leaving databases unsecured, not applying security patches, or storing protected health information on USB drives and losing them. Of those mistakes, weak passwords, phishing attacks and a lack of security patching are most often the root cause of most, if not all, of the ransomware attacks we read about," Puglia continued.
"Recently, we have also seen the emergence of a new trend whereby ransomware attacks not only encrypt an organization’s systems, but also exfiltrate data and threaten to release it publicly if the ransom is not paid," said Torsten George, cybersecurity evangelist at Centrify.
Last week, the Newark, New Jersey-based University Hospital experienced a 48,000-document breach as part of a ransomware operation's dedicated leak.
"To date, only a small percentage of ransomware attacks have taken this extra step, likely because it exposes cybercriminals to an increased risk of detection and identification by law enforcement. The threat actors that have gone down this path were likely motivated by the larger payout they would receive if the company acquiesced," George continued.
Security pros said that the unique nature of the healthcare industry makes it a particularly juicy target for bad actors.
"With an increased burden on the healthcare system due to COVID-19, cybercriminals know they have golden opportunities to make money from healthcare targets. During the first three months of 2020, the number of breached records in the healthcare sector exploded by 273% over the same period in 2019," said Puglia.
"It's not that the industry as a whole is more susceptible, but more that it's such a diverse pool of sensitive technologies," said Neal Dennis, threat intelligence specialist at Cyware. "Due to the nature of healthcare and the general necessary uptime of [its] various equipment, it's typically harder to update these systems. Many are reliant on older specialized code bases, making them more susceptible to compromise."
Dennis also flagged the human element to cybersecurity: "Add to that, we see stories daily of healthcare workers being overworked, understaffed. I imagine fatigue plays a role in susceptibility too. Clearly, overworked staff will have a harder time receiving appropriate training."
"Employees are the first line of defense," agreed Puglia.
To protect themselves from these kinds of attacks, experts advised that systems ensure their workers are using strong passwords, reporting suspicious links in emails and making relevant software updates when needed.
"There is also [a] continued lack of awareness of the need for SaaS backup in healthcare IT. Healthcare organizations and their IT leaders need to recognize that platforms like G Suite, Microsoft Office 365 and Salesforce do not guarantee full restoration of lost data if an issue occurs on their end either through an honest mistake or malicious intent," said Puglia.
"Responsibility lies with the IT department to fill in any data-protection gaps by implementing a backup and recovery solution, even for SaaS applications."
"Now, more than ever, we need backup plans in place," said Lee Kim, director of privacy and security at Healthcare IT News parent company HIMSS.
"Patient safety and cybersecurity are directly related," Kim continued. "If computer systems are the sole means for running critical systems – such as lab results, PACS, et cetera) – then when they go down, these essential units are unable to function. Patients will need to be turned away."
"Depending upon the circumstance, delayed surgeries, lab results, and other delays that result in the delayed provision of care may put patient safety at risk," she continued.
THE LARGER TREND
Ransomware attacks can prove dangerous – even deadly – for patients. Earlier this month, a German woman died after a ransomware attack necessitated a move between hospitals. It is said to be the first fatality linked to a ransomware attack.
As the security professionals noted, the COVID-19 pandemic has facilitated opportunities for cybercriminals, with many employees working from home and IT systems undergoing rapid, often large, changes.
"Any time you make a change to an IT environment, you have the potential to increase risk," said Andy Riley, executive director of security strategy at the managed-security-services vendor Nuspire, in an interview this summer.
ON THE RECORD
"Holding someone or something for ransom is a simple yet effective strategy that has been used by criminals for thousands of years," said Torsten George, cybersecurity evangelist at Centrify.
"Today, cybercriminals are exploiting these ancient techniques using modern technologies .… And in the case of healthcare, system downtime can lead to life or death situations. In an already stressful, high-stakes environment, proactivity rather than reactivity is key so hospitals can avoid falling victim and having to make difficult decisions around individuals' care as a result of a cyberattack," said George.