Hospitals Under Attack - 6 More Hit Last Week in Vermont

Last Thursday, the University of Vermont Health Network was attacked by a hacker group intent on disrupting their operations. The incident affected six of their hospitals, crippling their main computer systems. Spokesperson Neal Goswami said in a text that the network is working closely with the FBI and the Vermont Department of Public Safety. Additionally, Dr. Stephen Leffler, president of the University of Vermont Medical Center in Burlington, said, “People who are in urgent need of care are getting it, and most appointments are happening. Most surgeries will happen tomorrow. We did slow some down today as we’re switching systems.”

What Happened - Could it Be Ryuk Again?

Recently in a joint press conference, the FBI and two other agencies warned the public about “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” Prior to this attack, five other hospitals were hit using ransomware called Ryuk. It’s unclear as of yet, if Ryuk ransomware was used in the attack on the University of Vermont Health Network or if it was simply a hacking incident. 

As soon as IT experts within the network noticed something was happening, they shut everything down. Leffler noted that “We have no information that any patient information has been impacted, but we are still doing that investigation.” Goswami added that it “will take some time to restore, and we are working as quickly as possible to return to normal operations.”

Although patients were told their surgeries would happen on schedule, some non-emergency elective procedures are being rescheduled until the outage is repaired. 

The Vermont Department of Health is working closely with UVM Medical Center to provide support and coordinate Coronavirus testing and laboratory results. The agency is trying hard to fill in the gaps to continue services until UVM is back up and running at full capacity. 

More Healthcare Attacks

The day before the UVM attack, New York, St. Lawrence Health System of New York detected a ransomware attack that hit three of their hospitals, and a variant of Ryuk was identified as the culprit. Their chief information officer told the press that “The security measures implemented immediately made it possible to contain the virus and protect our patients and staff.” They, too, assured the public that no patient data was accessed or obtained in the attack. With this particular event, ambulances were diverted to other locations for five hours then restored. Although by Thursday of last week, they were still trying to fully restore their computer systems. They, too, are working with the FBI, Department of Homeland Security, as well as local authorities. 

The Russians are Coming

Just last week, Bloomberg reported that cybersecurity firm Prevailion Inc. has determined that a Russian-based hacker group is planning to attack ten more U.S. hospitals in hopes of crippling their operations. A couple of days earlier, the FBI warned of the “credible threat to hospitals and other healthcare organizations.” Karim Hijazi, Prevailion’s chief executive, said that “Certainly no cybercrime is good, but this really is despicable and evil.” According to their intelligence, Prevailion has determined without a doubt that the only targets are U.S. hospitals, which are already understaffed and overworked due to the pandemic. 

The hacker group known as UNC1878 (AKA Wizard Spider) has claimed responsibility for nine hospital attacks where they shut down critical systems and demanded multimillion-dollar ransoms.

Full Court Press

Healthcare attacks started ramping up in September and have continued all over the country. Many facilities struggled to switch to manual systems. With everything computerized and stored online, quality of care suffered in some locations, even resulting in a few deaths. Since September, ransomware attacks on medical facilities have increased by 71%. Ryuk was the mechanism used in 75% of those incidents. 

The Insurance Journal reported that “Last week, the Department of Justice charged six current and former members of Russia’s military intelligence agency for allegedly carrying out some of the world’s most destructive hacking attacks, leading to billions of dollars of losses in recent years. Two days later, the U.S. government warned that Russia has been targeting U.S. government agencies since at least September and may be planning more severe attacks surrounding Election Day.”

Guidelines for Medical Facilities

In their report, the FBI and Cybersecurity & Infrastructure Security Agency issued their list of Network Best Practices as:

• “Patch operating systems, software, and firmware as soon as manufacturers release updates.
• Check configurations for every operating system version for HPH organization-owned assets to prevent issues from arising that local users are unable to fix due to having local administration disabled.
• Regularly change passwords to network systems and accounts and avoid reusing passwords for different accounts.
• Use multi-factor authentication where possible.
• Disable unused remote access/Remote Desktop Protocol (RDP) ports and monitor remote access/RDP logs.
• Implement application and remote access allow listing to only allow systems to execute programs known and permitted by the established security policy.
• Audit user accounts with administrative privileges and configure access controls with least privilege in mind.
• Audit logs to ensure new accounts are legitimate.
• Scan for open or listening ports and mediate those that are not needed.
• Identify critical assets such as patient database servers, medical records, and teleheatlh and telework infrastructure; create backups of these systems and house the backups offline from the network.
• Implement network segmentation. Sensitive data should not reside on the same server and network segment as the email environment.
• Set antivirus and anti-malware solutions to automatically update; conduct regular scans.”