Ransomware attacks on hospitals put patients at risk

An employee at the University of Vermont Medical Center accidentally opened an emailed file from her homeowners association, which had been hacked, in October 2020.

The mistake ultimately led the University of Vermont Health Network, which includes the state’s largest hospital in Burlington, to have to cancel surgeries, reschedule mammogram appointments and delay treatments for some patients with of cancer.

The ensuing ransomware attack forced authorities to shut down all internet connections, including access to patients’ electronic health records, to prevent cybercriminals from doing more damage.

“Everything was broken. So our phones were down. We no longer had fax machines. … You couldn’t use email to communicate,” Dr. Stephen Leffler, the system’s president and chief operating officer, said of the attack in a recent podcast. by the American Hospital Association. “That first night, we actually sent people to Best Buy to buy walkie-talkies.”

In recent years, a growing number of hospitals and healthcare organizations across the United States have faced cyberattacks, disrupting care and putting patients at risk. This includes some public health facilities run by state or local governments.

“Hospitals have been hit pretty hard by high-impact ransomware attacks during the pandemic,” said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.

Riggi noted that during the pandemic, hospitals have had to rapidly expand network and internet-connected technology and deploy remote systems to support staff members who have transitioned to telecommuting.

“The bad guys took advantage and had more opportunities to enter our networks,” he said.

Ransomware attacks have forced some hospitals to halt chemotherapy, delay reporting lab results, and postpone maternity appointments for patients.

Some had to divert ambulances because their emergency rooms could not accept new patients.

“We’ve seen this in several ransomware attacks, especially with small hospitals,” Riggi said. “The next emergency service could be 125 miles away.”

Just last month, the US Department of Health and Human Services issued a warning about an aggressive ransomware gang attacking healthcare organizations. Among its victims: a network of hospitals and clinics in Ohio and West Virginia that had to cancel surgeries and divert emergency patients to other facilities.

History of the Stateline

War in Ukraine puts US cities and states on cyber alert

And with the heightened threat of Russian cyberattacks on the United States following the invasion of Ukraine, healthcare systems are even more vulnerable as they are considered critical infrastructure, experts say.

“We are not aware of any specific credible direct threat to US hospitals and healthcare systems,” Riggi said. “But we fear they will become collateral damage in attacks launched by Russia. Or that Russian-speaking gangs will launch retaliatory attacks against the West.

In February, the US Agency for Cybersecurity and Infrastructure Security issued a “Shields Up” warning regarding the growing Russian cyber threat to organizations.

Ransomware hijacks computer systems and holds them hostage until victims pay a ransom or restore the system on their own. It is usually spread through phishing, in which hackers send malicious links or attachments via email and people click on them unintentionally, releasing malware.

In 2020 and 2021, there were at least 168 ransomware attacks affecting 1,763 clinics, hospitals and healthcare organizations in the United States, according to Brett Callow, threat analyst for cybersecurity firm Emsisoft.

According to the Health Information Sharing and Analysis Center, a global nonprofit cyber threat sharing organization, a November survey of 132 healthcare executives, mostly from the United States, found ransomware to be the No. #1 for cybersecurity, more than data breaches or insider threats. health industry group.

“The shift from paper-based health records to electronic health records has made patient health information more accessible, however, these records are more vulnerable to attack and are extremely lucrative,” the report notes. He said hackers can charge $50 for a partial medical record, compared to $1 for a stolen Social Security or credit card number.

Historically, the healthcare industry has caught up on cybersecurity, according to Errol Weiss, chief security officer of the health information sharing group.

“The focus was on compliance with [federal requirements related to] patient data privacy, not cybersecurity,” Weiss said. “Unfortunately, many healthcare organizations aren’t as good as they should have been and have been easy prey.”

The pandemic made matters worse as hospitals were over capacity and busy treating critically ill patients with COVID-19.

“It was the perfect storm, between ransomware, all the overcapacity, burnt out people and system vulnerability,” Weiss said.

History of the Stateline

Hospital hackers are taking over the coronavirus pandemic

Some cybercriminals deliberately target healthcare organizations; other attacks are massive phishing campaigns that hook a staff member or contractor and introduce malware into the network, such as the University of Vermont Medical Center attack.

The attackers ended up encrypting the hospital’s 1,300 servers and dropping malware on 5,000 devices, said Dr. Doug Gentile, senior vice president of information technology at the University of Vermont Health Network.

The e-health network was on a separate part of the network, but the team proactively removed it at the main hospital and outpatient clinics at three other hospitals to prevent them from being attacked, according to Gentile.

Officials never contacted the cybercriminals or paid a ransom, he said, and no patient data was compromised.

While the hospital had a good computer backup system, it still took 28 days to rebuild the infrastructure and back up electronic health records, Gentile said. It took several months to restore the entire system.

For nearly a month, doctors and nurses had to do everything on paper.

“We had just spent a decade eliminating paper from our system,” Gentile said. “Suddenly we had paper everywhere. We had to buy binders.

For young doctors, it was a learning experience.

“Most of them had never written orders on paper before,” he said. “We had people walking around the floors helping these people write prescriptions on paper because the new doctors didn’t know how to do that.”

Another problem: the staff could not access the clinic schedules for patients, so for several days they did not know who was due to come or when.

The cyberattack cost the Vermont hospital system about $54 million, including rebuilding the computer network and lost revenue, officials said.

Since the attack, they have beefed up advanced firewall protection and anti-virus software and blocked access to personal emails on work computers, Gentile said. They also regularly send phishing emails to staff members as a test.

“It’s an ongoing gun war. The groups that are carrying out these attacks are very sophisticated, very corporate,” he said. “We’re still on high alert, trying to bolster our defenses against another attack. “

History of the Stateline

Natural disasters can pave the way for cyberattacks

Comments are closed.