Originally published to MedCity News on September 30, 2020 by ELISE REUTER


A malware attack brought hospital chain Universal Health Services’ IT systems down at the beginning of the week. Cybersecurity experts said hospitals should expect more of these attacks, as recovery can be costly.

National hospital chain Universal Health Services (UHS) disclosed on Tuesday that it had been subject to a malware attack. IT systems for its hospitals across the U.S. have been down since Sunday night, and it has not shared when they will go back online.

While the full extent of the attack is not yet known, cybersecurity experts said recovery can be a long and costly process, depending on what protections were in place before the security breach. Healthcare organizations, which hold troves of valuable patient data, are increasingly becoming a target for hackers.

“Honestly, hospitals are a really soft target. What happened in the last few years is on the one hand is there is a tremendous rising of complexity and connectivity in the hospital,” said Ido Geffen, vice president of product for healthcare cybersecurity firm CyberMDX. “So you have all of a sudden, especially in the last five years, a tremendous amount of personal health information that is moving. It’s a good thing in a broader manner.”

The downside is that those records fetch a high price on the black market. Especially in the U.S., where records can include a patient’s social security number, insurance policy number and credit card information, he added.

UHS said it has no evidence that patient or employee data was accessed. Its major information systems, including its electronic medical record system, were not directly impacted by the attack, the company disclosed on Thursday.

The for-profit hospital chain operates 26 hospitals and 330 behavioral health facilities across the U.S. In an emailed statement on Wednesday, UHS confirmed its systems were still down, with some applications coming back online.

“In the meantime, while this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively,” UHS stated in a news release.

By Thursday, the health system said it was making steady progress and was confident it would soon be able to restore hospital networks.

UHS would not confirm whether the attack was ransomware, a type of malware that encrypts files with the attacker demanding payment to restore them. According to information security publication BleepingComputer, an unnamed employee said files on one of the affected computers were being renamed with a .ryk extension, which is used by a strain of ransomware called “Ryuk.”

A greater cost

Aside from the short-term cost of restoring compromised systems, these attacks can have serious consequences. When IT systems go down, clinicians must revert to paper records, if they have them, said Chris Bowen, chief privacy and security officer for ClearDATA.

“A paper record cannot help a provider detect things like adverse drug interactions. It may not reflect recent treatment or diagnoses,” he wrote in an email. “In some cases, patients have to be transferred to another facility to get the care they need, and ambulances are diverted to other – sometimes further – medical facilities.”

A recent ransomware attack brought a German hospital’s systems down earlier this month, forcing it to turn away emergency patients. As a result, a patient in a life-threatening condition died after she was taken to a different city for treatment, German authorities said.

“Healthcare technology has no margin of error because each health record represents a human life,” Bowen wrote. “Health IT systems can literally help save lives, and therefore their resiliency is of utmost importance in healthcare.”

In the case of the attack on the German hospital, hackers exploited a known vulnerability in Citrix’s VPN products.  Remote teleworking infrastructure, and the thousands of connected devices in hospitals — from infusion pumps to printers — can serve as an entry point for hackers.

But email phishing is still by far the most common type of attack, Geffen said. It was the entry point for two major breaches of health insurance providers, including attacks on Premera Blue Cross and Anthem in 2015 that compromised tens of millions of patient records.

The recovery process

Typically, ransomware is the last piece in the chain of an attack. Hackers generally start with gathering information about a company, finding a port of entry, running code on machines and getting into as many connected devices as possible.

“Only then they will do the encryption,” Geffen said.

 The time it takes to recover depends on how quickly the attack is detected and what protections the company already had in place. First, there needs to be a forensic investigation of the attack. It’s important to find the root cause and the point of entry — whether it’s unpatched software or a connected security camera — because it can happen again and again, Geffen said.

During this process, the company must also conduct a risk assessment to determine whether a patient data breach occurred. As each system is restored, IT staff must document any changes in the system, and come up with a rollback plan for each system in case something goes wrong during the restoration process.

“Consider the average hospital with around 500-1000 different systems and applications. In that case, one can only imagine how much work and time this step alone will take,” Bowen wrote.

To prevent future attacks, he recommends having a failover strategy, and ensuring protected health information is encrypted and backed up to a secured, separate location. Patching security holes, updating outdated systems and tightening up email filters can prevent a lot of future headaches.

Geffen said hospitals should take inventory of all the different devices that are connected to their IT infrastructure.

“Even after a few years working with hospitals, it makes me shocked. Hospitals don’t know how many devices are connected to their environment,” he said.

He also recommends a zero trust approach — essentially granting everything the least amount of privilege as possible.

“Organizations need to plan for an inevitable attack, not just try to prevent it. As security professionals, we know that we cannot stop every attack,” Bowen wrote. “We have to plan to prevent as many as possible, but also plan for how to minimize the damage when one is successful.”