Did Hospital Chain Pay a Ransom After Attack?
Sen. Mark Warner of Virginia
On Monday, UHS noted that it had restored the majority of its IT operations.
“With back-loading of data substantially complete at this point, hospitals are resuming normal operations,” according to an updated notice on the UHS website. “The wide area networks at the majority of our behavioral health facilities are back online as well, with the remaining to follow shortly.”
The company, which has 250 U.S. hospitals, has said it has “no indication that any patient or employee data was accessed, copied or misused.”
In a Friday letter to UHS Chairman and CEO Alan Miller, Warner, who serves as the vice chairman of the Senate’s Intelligence Committee, poses a series of questions, including:
- Has UHS paid a ransom to the attackers?
- Has any healthcare information been exfiltrated from UHS owned or operated systems without authorization?
- Does UHS have effective segmentation measures in place within its healthcare facilities to prevent any type of malware from spreading?
- How are clinical medical devices isolated from administrative systems and networks to ensure a breach of the administrative network does not interrupt medical devices?
In his letter, Warner suggests that threat actors are taking advantage of the COVID-19 pandemic, along with the increasing amount of connected devices and systems that healthcare organizations are now using, to launch attacks that put patient data at risk.
“Any failure to protect this considerable attack surface with appropriately segmented networks and data provides opportunities for lateral movement across disparate systems,” Warner writes. “An unmitigated breach in one facility can cripple systems at hundreds of medical facilities, risking patient care throughout a large provider network while healthcare delivery remains strained by a pandemic.”
The COVID-19 crisis “only exacerbates the consequences of insufficient cybersecurity,” Warner writes. “The need for healthcare providers to address cybersecurity threats has been obvious for several years now. Clinical providers, including UHS, must ensure all information, medical and critical systems are sufficiently protected.”
UHS did not immediately respond to an Information Security Media Group request for comment on Warner’s letter.
UHS has only revealed that “malware” caused the company to shut down its internal network on Sunday, Sept. 27.
But news reports, citing UHS insiders, state that the national hospital chain apparently sustained a ransomware attack, possibly involving a strain known as Ryuk (see: Universal Health Services Network Outage: Lessons to Learn).
Ryuk has been linked to other ransomware attacks aimed at healthcare organizations, including a September incident affecting Philadelphia-based eResearchTechnology, which has been involved in COVID-19 research. The Cybersecurity and Infrastructure Security Agency has also warned about threat actors using the Emotet botnet to deliver Ryuk (see: CISA Warns of Emotet Attacks Against Government Agencies).
Fatal Consequences of Ransomware
In September, an attack directed at a German university that shut down emergency services at an affiliated hospital likely contributed to the death of a patient who needed urgent treatment but instead had to be transported to another hospital, delaying care, according to news reports (see: Ransomware Attack at Hospital Leads to Patient’s Death ).
Brett Callow, a threat analyst at security firm Emisoft, says the ransomware attacks on UHS and others mean questions such as those posed by the senator “should be asked far more often.”
He adds: “Understanding how and why attacks happen is key to preventing them – or, at least, limiting their scope. … Should existing legislation such as HIPAA be strengthened? Should healthcare organizations be subject to more audits or other forms of oversight? Should federally mandated baseline security standards be put in place? These questions can only be answered if lawmakers understand why hospitals continue to fall victim to ransomware attacks.”
Managing Editor Scott Ferguson contributed to this report.