Major Hospital System Hit With Cyberattack, Potentially Largest In U.S. History
Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend. Major Hospital System Hit With Cyberattack, Potentially Largest In U.S. History
A major hospital chain has been hit by what appears to be one of the largest medical cyberattacks in United States history.
Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend, and some hospitals have had to resort to filing patient information with pen and paper, according to multiple people familiar with the situation.
Universal Health Services did not immediately respond to requests for comment, but posted a statement to its website that its company-wide network “is currently offline, due to an IT security issue. One person familiar with the company’s response efforts who was not authorized to speak to the press said that the attack “looks and smells like ransomware.”
Ransomware is a type of malicious software that spreads across computer networks, encrypting files and demanding payment for a key to decrypt them. It’s become a common tactic for hackers, though attacks of this scale against medical facilities aren’t common. A patient died after a ransomware attack against a German hospital in early September required her to be moved to a different hospital, leading to speculation that it may be the first known death from ransomware.
Hackers seeking to deploy ransomware often wait until the weekend, when a company is likely to not have as many technical staff members present.
Two Universal Health Services nurses, who requested to not be named because they weren’t authorized by the company to speak with the media, said that the attack began over the weekend and had left medical staff to work with pen and paper.
One of the nurses, who works in a facility in North Dakota, said that computers slowed and then eventually simply would not turn on in the early hours of Sunday morning. “As of this a.m., all the computers are down completely,” the nurse said.
Another registered nurse at a facility in Arizona who worked this weekend said “the computer just started shutting down on its own.”
“Our medication system is all online, so that’s been difficult,” the Arizona nurse said.
The company took down systems used for medical records, laboratories and pharmacies across about 250 U.S. facilities Sunday to halt further spread of the malware attack, Universal Health President Marc Miller said in an interview Monday evening.
The outage caused no harm to patients, he said, adding that the company is investigating any reports of patients at risk. No patient or employee data appears to have been accessed, he said.
Mr. Miller declined to describe the nature of the malware. People familiar with the incident said it was a ransomware attack.
In a ransomware attack, hackers typically exploit computer vulnerabilities to install their software on a targeted computer network. The attackers then encrypt the data, making it unreadable, but they promise to unlock the system for a payment.
Ransomware attacks have become the biggest cyber threat facing corporations, said Charles Carmakal, a vice president with the cybersecurity company FireEye Inc. “They are causing a lot of havoc to organizations,” he said.
Based in King of Prussia, Pa., Universal Health operates facilities covering a range of services from psychiatric hospitals to emergency rooms to outpatient centers. The company also runs health-care facilities in Britain.
Universal Health’s U.K. hospitals weren’t hit by the attack, and networks there continue to operate, Mr. Miller said.
Where systems were affected, health-care workers switched to paper records for patients, he said, using protocols for events when computers are down, such as during maintenance. The company backs up its pharmacy records every 24 hours and has already restored some of its network, Mr. Miller said, while adding it is unclear how long it will take to fully recover from the attack.
Mr. Miller said that Universal Health is cooperating with the Federal Bureau of Investigation on the matter. An FBI spokeswoman didn’t immediately have a comment on the incident.
UHS this month said that CEO and company founder Alan Miller would retire from the post in January, while retaining the role of executive chairman. It appointed Marc Miller to serve as the next chief executive of the company that had about $11.4 billion in revenue last year.
The health-care facilities provider, in its latest annual report, warned that a cybersecurity incident could put it at risk of breaching U.S. health privacy rules known as HIPAA and could pose a risk of financial and reputational damage.
Under HIPAA, a malware attack that exposes patients’ personal health information could require hospitals to publicly disclose the breach, said Mark Barnes, a partner at the law firm Ropes & Gray LLP. Hospitals also face fines for privacy and security violations under the law. Ransomware attacks are a potential HIPAA violation, under guidance issued by federal health officials, Mr. Barnes said.
Hospitals are increasingly dependent on information technology after more than a decade of investment to expand use of computer medical records and growing numbers of networked medical devices. Those developments have made the sector highly vulnerable to malware, along with other industries at high risk of cyberattacks, such as banks, Moody’s Investors Service said last year.
Mr. Miller said that the hackers that attacked Universal Health Services used a previously unknown technique to break into the company’s computer systems. He declined to say whether the hackers had requested payment from the company.
Ransomware attacks have plagued other major institutions recently. A hacker of a large public-school district in Las Vegas published documents containing Social Security numbers, student grades and other private information stolen after officials refused the ransom demanded, The Wall Street Journal reported Monday.
International law enforcement authorities during the height of the pandemic warned that hospitals and health-care facilities in multiple countries were being targeted in ransomware attacks.
Often a ransomware attack is the first phase of a multistage extortion attempt from cybercriminals, FireEye’s Mr. Carmakal said. Criminals routinely demand millions of dollars to unlock the encrypted systems, and then follow that up by threatening to publish stolen data on the internet if they aren’t paid a second time.
Mr. Carmakal said that although health-care providers are frequent targets, most ransomware criminals stay away from hospitals because taking systems offline could cause patient harm. “Most people don’t want to kill other people in the process of making money,” he said. “But there are some who just don’t care and it’s a means to an end.”
Hackers Bearing Down On U.S. Hospitals Have More Attacks Planned
A Russia-based ransomware group responsible for a new wave of attacks against U.S. hospitals is laying the groundwork to cripple at least ten more, according to the cybersecurity firm Prevailion Inc.
Prevailion’s analysis comes a day after the FBI and two other federal agencies issued a warning about an imminent and credible threat to hospitals and health-care providers from cyber-attacks, including ransomware capable of locking entire computer networks.
The hacking group responsible — known among some experts as UNC1878 and others as Wizard Spider — has already hit at least nine hospitals in three weeks, crippling critical computer systems and demanding multimillion-dollar ransoms.
The health-care attacks have been ongoing since at least September, according to the cybersecurity firm Crowdstrike. The victims included Sky Lakes Medical Center in Klamath Falls, Oregon, where doctors are struggling to keep track of patient medications and other critical information on paper rather than the digital systems they normally use.
“The increased workload is astronomical for all hospital employees and will inevitably have an impact on patient care,” said one of the hospital’s doctors, who wasn’t authorized to speak to the press and asked not to be named.
The timing of the latest wave of attacks – coming as the U.S. nears 9 million coronavirus infections and hospitalizations surge – has unsettled security experts used to the ruthlessness of global cyber gangs.
“Certainly no cyber crime is good, but this really is despicable and evil,” said Karim Hijazi, Prevailion’s chief executive.
Over the last 24-hours, Prevailion has gained access to the communications that the Russian hackers are using to control computers inside U.S. hospitals, as well as other victims worldwide. That data shows that the hackers have infiltrated at least 440 organizations globally, including government agencies, pharmaceutical companies and universities, Hijazi said.
But it’s the targeting of medical care facilities that is most worrying. The infected organizations include hospitals in New Jersey, Georgia, Florida, Massachusetts, Texas and Arkansas, according to data provided by Prevailion. “It’s abundantly clear that the group is really zeroing in on U.S. hospitals,” Hijazi said
Ransomware is a type of malware that locks computers while hackers demand ransom payments to unlock them. In the most recent spate of attacks, ransoms vary based on factors like hospital size and perceived willingness to pay, according to Charles Carmakal, the strategic services chief technology officer at the cybersecurity firm FireEye Inc. He said ransom demands in the current attacks have been in the seven- and eight-figure range.
Last year, ransom demands by the group included $5.5 million and $12.5 million, according to Adam Meyers, Crowdstrike’s vice president of intelligence.
The U.S. Government issued a joint cybersecurity advisory late Wednesday to guide hospitals and health-care providers who may be victims of a malware attack. In it, the agencies highlighted the damage that the malicious tools used by attackers — Trickbot, a so-called botnet of infected computers, and Ryuk, a type of ransomware — can cause, and how swiftly they may steal medical data.
“Trickbot infections may be indicators of an imminent ransomware attack,” according to the advisory. “System administrators should take steps to secure network devices accordingly.”
As Covid cases have spiked across the U.S., so have ransomware attacks on health-care providers. The U.S. health-care sector endured a 71% increase in ransomware attacks in October, compared to September, the most among U.S. industry sectors, according to the cyber-research firm Check Point Software Technologies Ltd.
The Ryuk strain of ransomware accounted for 75% of the attacks on the U.S. health-care sector in October, according to Checkpoint.
”I think the timing, at a minimum, is interesting,” said John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association. “I think adversaries know how distracted and consumed we are with the election. Hospitals are dealing with an uptick in Covid cases. With our resources stretched thin, it puts us in a higher risk situation.” –
Several hospital companies have reported being struck by cyber-attacks in recent days, including the University of Vermont Health Network, which includes six hospitals.
Those attacks aren’t included in Prevailion’s analysis, which only picks up networks that are infected but where the malicious payload hasn’t yet detonated. Hijazi said his firm was working with other cybersecurity researchers to reach out to the hospitals to make sure they were aware of the potential threat. He wouldn’t identify the hospitals whose networks were infected.
The wave of attacks have unsettled medical workers, some of whom are struggling to handle an influx of Covid patients.
“Trickbot is a massive botnet that’s really hard to smother,” said Christian Dameff, an emergency room doctor and medical director of cybersecurity at UC San Diego Health. “You can take the wind out of its sails, but I don’t think anyone is under the illusion that it can be taken down easily.”
A doctor at one of the affected hospitals who requested anonymity said her biggest fear is an avoidable death caused by a lack of access to computers. “All of our computers are off and we are running entirely on paper charting, using fax machines to communicate between different parts of the hospital,” the doctor said.
“There are established procedures for this so we have adapted quickly. We just aren’t used to relying on these back-up procedures for more than a few hours at a time,” she said. “This is unfortunately a perfect set up for important information to get missed or not come back fast enough and for patients to get harmed.”
The wave of ransomware attacks comes as the U.S. government has attempted to crack down on Russian computer meddling. U.S. Cyber Command on Thursday issued a separate alert warning that Russian state-sponsored hackers had targeted ministries of foreign affairs and national parliaments to “spy, steal data & install malware.”
Last week, the Department of Justice charged six current and former members of Russia’s military intelligence agency for allegedly carrying out some of the world’s most destructive hacking attacks, leading to billions of dollars of losses in recent years.
Two days later, the U.S. government warned that Russia has been targeting U.S. government agencies since at least September and may be planning more severe attacks surrounding Election Day.
Major Hospital System Hit,Major Hospital System Hit,Major Hospital System Hit,Major Hospital System Hit,Major Hospital System Hit,Major Hospital System Hit,Major Hospital System Hit,Major Hospital System Hit,Major Hospital System Hit,Major Hospital System Hit,