Hospital and healthcare services provider Universal Health Services has restored its network after being offline for more than a week in the wake of a massive cyberattack which forced it to shut down systems at locations across the US. The health system had disconnected the network to prevent the propagation of a malware attack.
According to Becker’s Hospital Review, UHS is now in the process of restoring its EHR and back-loading data from the past week while hospitals were under downtime protocols.
UHS, which runs more than 400 healthcare facilities in the US and UK, has more than 90,000 employees and cares for about 3.5 million patients each year. Its network appears to have been hit by a Ryuk ransomware attack which left a number of UHS hospitals in the US without access to computer and phone systems, including facilities in California, Florida, Texas, Arizona and Washington, D.C.
According to Jeff Horne, CSO of IoT security firm Ordr, Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing approaches (which we covered in depth recently) and can propagate and infect IoT/IoMT devices. Once on an infected host, it can pull passwords out of memory and then laterally move through open shares, infecting documents and compromised accounts, Horne says.
The Ryuk attack on UHS managed to disable multiple antivirus programs in place on the targeted systems. Once the antivirus software was disabled, the Ryuk malware caused the computers to log out and shut down, and if administrators attempted to reboot these systems, they simply shut down again. With their systems shut down, UHS clinicians were unable to access vital information, including data found in their EHR or PACS system.
While it would be nice to think that UHS’ negative experiences were rare, the truth is that that healthcare industry organizations remain popular targets for cyberattacks.
According to recent research by HIMSS and Mimecast, 90% of healthcare organizations experienced email-borne attacks over the past year, with 25% suffering from very or extremely disruptive attacks.
Attacks that impersonated trusted vendors or partners were the most common cause of disruption (61%), followed by credential-harvesting focused phishing attacks (57%).
More concerningly, nearly three quarters (72%) of respondents experienced downtime as a result of an attack. The most common type of loss was productivity, followed by data (34%) and financial losses (17%).