Ransomware attacks on hospitals put patients at risk

Busà Photography / Getty Images

Featured eBooks
The State of Trust in Government
Cybersecurity in State and Local Government
Building Data Literacy in the State and Local Workforce
By Jenni Bergal,
Stateline
 

Connecting state and local government leaders

By Jenni Bergal,
Stateline

|

The University of Vermont Medical Center in Burlington, Vt., was hit by a massive ransomware attack during the COVID-19 pandemic. A growing number of health care systems have faced cyberattacks.

A University of Vermont Medical Center employee accidentally opened an emailed file from her homeowners association, which had been hacked, in October 2020.

That one mistake eventually led to the University of Vermont Health Network, which includes the state’s largest hospital in Burlington, having to cancel surgeries, put off mammogram appointments and delay some cancer patients’ treatments.

The ensuing ransomware attack had forced officials to shut down all internet connections, including access to patients’ electronic health records, to prevent cybercriminals from doing any more damage.

“Everything was down. So our phones were down. We no longer had fax machines. … You couldn’t use email to communicate,” Dr. Stephen Leffler, the system’s president and chief operating officer said of the attack in a recent podcast by the American Hospital Association. “That first evening, we actually sent people over to Best Buy to buy walkie-talkies.”

In the past few years, a growing number of hospitals and health care organizations across the U.S. have faced cyberattacks, interrupting care and putting patients at risk. That includes some public health facilities run by state or local governments.

“Hospitals have been hit pretty hard with high-impact ransomware attacks during the pandemic,” said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.

Riggi noted that during the pandemic, hospitals have had to rapidly expand network and internet-connected technology and deploy remote systems to support staffers who shifted to telework.

“The bad guys took advantage of that and had more opportunities to get into our networks,” he said.

Ransomware attacks have forced some hospitals to disrupt chemotherapy, delay reporting lab results and postpone appointments for maternity patients.

Some have had to divert ambulances because their emergency rooms couldn’t accept new patients.

“We’ve seen that in multiple ransomware attacks, especially with small hospitals,” Riggi said. “The next ER department could be 125 miles away.”

Just last month, the U.S. Department of Health and Human Services issued a warning about an aggressive ransomware gang that attacks health care organizations. Among its victims: a network of hospitals and clinics in Ohio and West Virginia that had to cancel surgeries and divert patients with emergencies to other facilities.

And with the heightened threat of Russian cyberattacks on the U.S. after the invasion of Ukraine, health care systems are even more vulnerable because they’re considered critical infrastructure, experts say.

“We are not aware of any specific credible direct threats to U.S. hospitals and health care systems,” Riggi said. “But we are concerned that they could become collateral damage in attacks launched by Russia. Or that Russian-speaking gangs will launch retaliatory attacks against the West.”

In February, the U.S. Cybersecurity and Infrastructure Security Agency issued a “Shields Up” warning about the growing Russian cyberthreat to organizations.

Ransomware hijacks computer systems and holds them hostage until the victims pay a ransom or restore the system on their own. It typically spreads through phishing, in which hackers email malicious links or attachments and people unwittingly click on them, unleashing malware.

In 2020 and 2021, there were at least 168 ransomware attacks affecting 1,763 clinics, hospitals and health care organizations in the U.S., according to Brett Callow, a threat analyst for cybersecurity company Emsisoft.

A November survey of 132 health care executives, most from the United States, found that ransomware was the No. 1 cybersecurity threat, more than data breaches or insider threats, according to the Health Information Sharing and Analysis Center, a nonprofit global cyberthreat-sharing group for the health care industry.

“The shift from paper health records to electronic health records has made patient health information more accessible, however, these records are more vulnerable to attacks and are extremely lucrative,” the report noted. It said hackers can demand $50 for a partial health record, versus $1 for a stolen Social Security or credit card number.

Historically, the health care sector has been playing catch-up when it comes to cybersecurity, according to Errol Weiss, the health information-sharing group’s chief security officer.

“The focus was being compliant with [federal requirements related to] the privacy of patient data, not cybersecurity,” Weiss said. “Unfortunately, a lot of health care organizations are not as good as they should have been and were easy prey.”

The pandemic made things worse as hospitals were over capacity and were busy dealing with seriously ill COVID-19 patients.

“It’s been the perfect storm, between the ransomware, all the overcapacity, people stretched thin and how vulnerable the systems were,” Weiss said.

Some cybercriminals deliberately target health care organizations; other attacks are massive phishing campaigns that happen to hook a staffer or contractor and introduce malware into the network, like the University of Vermont Medical Center attack.

The attackers wound up encrypting the hospital’s 1,300 servers and depositing malware on 5,000 devices, said Dr. Doug Gentile, senior vice president for information technology at the University of Vermont Health Network.

The electronic health network was on a separate part of the network, but the team proactively took it down at the main hospital and three other hospitals’ ambulatory clinics to prevent them from being attacked, according to Gentile.

Officials never contacted the cybercriminals or paid any ransom, he said, and no patient data was compromised.

While the hospital had a good computer backup system, it still took 28 days to rebuild the infrastructure and get electronic health records back up, Gentile said. It took several more months to restore the entire system.

For nearly a month, doctors and nurses had to do everything on paper.

“We had just spent a decade getting paper out of our system,” Gentile said. “Suddenly, we had paper everywhere. We had to get file cabinets.”

For younger doctors, it was a learning experience.

“Most of them had never written orders on paper before,” he said. “We had folks going around on the floors helping those folks write orders on paper because newer physicians didn’t know how to do that.”

Another problem: Staffers couldn’t access clinic schedules for patients, so for several days they didn’t know who was scheduled to come or when.

The cyberattack cost the Vermont hospital system about $54 million, including rebuilding the computer network and lost revenue, officials said.

Since the attack, they have beefed up advanced firewall protection and antivirus software and blocked access to personal email on work computers, Gentile said. They also regularly send out phishing emails to staffers as a test.

“This is an ongoing arms war. The groups doing these attacks are very sophisticated, very corporate,” he said. “We are always on high alert, trying to build up our defenses against another attack.”

This article was first posted to Stateline, an initiative of The Pew Charitable Trusts.

NEXT STORY: Personal information of 1.8 million Texans with Department of Insurance claims was exposed for years, audit says

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.