A malware attack at Universal Health Services, one of the largest hospital chains in the U.S., has highlighted long-standing cybersecurity concerns faced by hospitals.
To contain a malware intrusion that UHS discovered in its information systems Sunday, UHS took all of its U.S. information technology networks offline, including systems for medical records, laboratories and pharmacies. UHS has been bringing servers back online as it investigates the cyberattack, so some facilities don't have all applications available yet.
Not all of UHS' information systems were compromised by malware. The malware didn't hit UHS' electronic health records system, though the system was taken offline as part of UHS' response, according to Marc Miller, UHS' president. The health system last month said Miller will take the helm as CEO in January when his father, UHS founder and longtime CEO Alan Miller, steps down.
"We promptly shut down in order to prevent further propagation," Miller said of UHS' IT networks in an interview with Modern Healthcare. That practice is part of the system's established procedures for dealing with a cyberattack of this nature—though "we've never had anything at this level," he said.
UHS has reported the cyberattack to federal agencies, including the Federal Bureau of Investigation, Miller said.
The health system encompasses 400 facilities including acute-care hospitals and ambulatory surgery centers across the U.S. and the United Kingdom. The attack appears to be one of the largest reported healthcare cyberattacks.
So far, UHS hasn't found evidence that patient or employee data was accessed or copied during the cyberattack, according to a statement it posted online Tuesday.
Other healthcare executives can learn four cybersecurity lessons from the attack.
1. Get offline procedures in place. When a malware attack brings down a hospital's information systems, it disrupts internal business processes as well as patient care, often forcing hospitals to divert patients to nearby facilities and limiting access to patient records.
That makes healthcare cyberattacks a patient safety issue, said John Riggi, the American Hospital Association's senior adviser for cybersecurity and risk. Just last month, a patient in Germany died after an ambulance was diverted from a hospital hit with ransomware, in what appears to be the first death resulting from a ransomware attack.
"We consider any cyberattack against a hospital or health system a potential threat-to-life crime—not just an economic crime," said Riggi, who has argued the U.S. government should prosecute ransomware attacks at hospitals as such. "Any delay in treatment caused by a ransomware attack could have an adverse outcome for the patient."
In the wake of UHS cyberattack, staff have been using paper records to document patient care, leading to challenges coordinating care and obtaining medical histories. Some UHS facilities have had to divert ambulances and cancel surgeries, according to the Wall Street Journal, and some sites are experiencing longer wait times at emergency departments, according to CBS News.
Miller acknowledged it takes longer to complete tasks when systems are offline, but said staff are following established downtime procedures. Downtime procedures are also used during natural disasters and maintenance on information systems, in addition to cyberattacks, so staff have had experience with them, he said.
2. Preserve the evidence. In the wake of a cyberattack, executives typically home in on how to address the intrusion and maintain operations. But it's also important to protect anything that could be evidence for an investigation, including documenting any communication from hackers and not deleting suspicious or malfunctioning files.
UHS is currently investigating the incident.
Figuring out how and what to document can be "tricky," noted Lani Dornfeld, a healthcare attorney at law firm Brach Eichler, so organizations should have IT experts—either in-house staff or outside consultants—lined up to provide support.
During an investigation, IT teams will analyze data from systems and networks to determine if patient data was accessed or removed—and it is important to be able to review as much data as possible, said Tyler Hudak, a practice lead for incident response at cybersecurity firm TrustedSec who previously served as a team lead for Mayo Clinic's security operations center.
"When I get into an incident response and start performing forensics, we want to see all the data that we can," he said.
Increasingly, hackers won't just deploy ransomware to encrypt data. They will remove data from the system, and then threaten to release it if the victim doesn't pay, he said.
That typically involves hackers gathering data they want to steal into a central location in the network, and then transferring it at once—so that's one sign Hudak said he looks for during a forensic review.
3. Watch for ransomware. Ransomware has been wreaking havoc on healthcare facilities for years, and it's getting more sophisticated, experts say. It's unconfirmed what type of malware was involved in the cyberattack at UHS, but reports from employees have suggested the incident stems from a Ryuk ransomware attack, according to BleepingComputer, a computer and cybersecurity news site.
Ryuk is a ransomware strain that hackers tend to use on large, enterprise organizations, said Ido Geffen, vice president of product at cybersecurity company CyberMDX. He said hackers deploying Ryuk will often spend weeks infiltrating and spreading throughout an organization's systems and devices, before making a ransom demand.
Hackers are "taking their time," Geffen said.
Miller declined to share what type of malware was involved in the cyberattack and how hackers were able to deploy it into UHS' systems, since the health system is still working on investigating the incident.
"We're continuing to review the forensic evidence," Miller said. "We're only a few days into this, so we're just not ready to come to conclusions."
4. Choose who to alert. Riggi recommended hospitals dealing with cyberattacks notify federal authorities—such as the FBI and the Homeland Security Department—who can help with responding to the incident. Organizations aren't required to notify the FBI after a cyberattack, but it's "strongly recommended," he said.
If it's possible patient information has been breached as defined by HIPAA, UHS will also have to notify the affected individuals, local media outlets and HHS' Office for Civil Rights.
Hospitals might also want to establish social media policies as part of incident response, Hudak said. Public information about the UHS cyberattack first emerged on Reddit, where employees posted about being unable to access phone and electronic systems. Knowing where information is shared is a key component of responding to an attack, he said.
Organizations need to "get ahead of the curve and control the information going out," Hudak said.