Almost a week after being hit with a massive cyberattack, Universal Health Services still hasn't fully recovered its IT systems.
Computer systems at the health system began to fail Sept. 27, leading to a network shutdown at 250 of its hospitals around the country.
UHS said in a statement Thursday it was "making steady progress" but did not indicate when the systems would be fully restored. Facilities are using established back-up processes including offline documentation methods, the health system said.
The organization was hit with a notorious ransomware strain known as Ryuk, according to media reports. It's just the latest example of the growing cyber threats facing hospitals and health systems already reeling from the impact of the COVID-19 pandemic.
The Department of Health and Human Services’ Office of the Assistant Secretary for Preparedness and Response this week issued an update (PDF) on the Ryuk ransomware threat to the healthcare and public health sectors.
Cybersecurity experts say ransomware attacks against hospitals have ratcheted up in recent years as organizations will pay high ransom demands to recover access to critical medical data.
"Ransomware used to be what I call the spray-and-pray method. They would send thousands of ransom spam emails. In the last two years, there have been more targeted attacks, in healthcare and education. These attacks have crippled the systems so organizations have to pay the ransom or suffer greatly with not paying it," said Ara Aslanian, co-founder and CEO at Inverselogic, an IT consultant firm.
Vulnerable by design
Healthcare organizations are more vulnerable to attacks due to the variety of endpoints from different devices and systems, cybersecurity experts say.
"Most healthcare systems have so many different software packages and they depend on so many different systems, emergency systems, X-ray software, pharmaceutical software, patient data and records management," Aslanian said.
John Riggi, senior adviser for cybersecurity and risk at the American Hospital Association, said in a recent blog post that health systems face a COVID-19-induced "cyber triple threat." The "attack surface" has expanded as more employees work from home and use network connected technologies combined with a rise in cyberattacks by criminals taking advantage of the expanded attack surface. On top of that, there's reduced revenue for hospitals and health systems to bolster cyber defenses, Riggi said.
And for health systems, the stakes can be very high, as patient safety is on the line during an attack.
"Turning hospitals back to 1950s paper-based operations, during a pandemic, will cause people to die in spite of best efforts ad back-up plans," Lee McKnight, an associate professor at the Syracuse University School of Information Studies whose research specialty includes cybersecurity.
In Germany, authorities believe a cyberattack at a hospital led to one woman's death. During the attack in September, German authorities believe a woman in a life-threatening condition died from delayed treatment after the ambulance was diverted to another hospital, The New York Times reported. It could be the first recorded fatality from a ransomware attack.
Building accountability from the board down
Many cybersecurity experts believe there needs to be substantial changes to hospital IT systems or the problem will get worse.
Poorly built legacy systems without access control are making it easier for hackers to take hospital systems down, McKnight said. Health systems need to transition to a secure cloud architecture that includes "least privileges"—or restricted access rights to only those resources absolutely required—by design, he said.
Requiring hospitals and vendors to get cybersecurity certification would also help hold organizations accountable for their security practices, much like hospitals have to be compliant with the Health Insurance Portability and Accountability Act, according to Aslanian.
As an example, the Defense Department rolled out a new certification model for its contractors to more quickly bring its entire industrial base up to date with best cybersecurity practices.
"I think it comes down to holding the boards accountable for a data breach. It could cost somebody’s life someday," he said. "You need a security compliance officer who serves on the board, or as part of the executive team."
Many health system boards are compromised of "old-school doctors" who "don't get it" and often don't understand the need for things like two-factor authentication for IT security, he said.
Colin Zick, partner and co-chair of the privacy and data security practice at Foley Hoag, has a different take. "I've never been fan of a designated cyber seat on the board. That can cause other board members to think 'That person has got this and I don’t have to worry about it.' It's the responsibility for the entire board and for management."
He added that large health systems are putting substantial resources into IT. "It's not being ignored, but it's a tough problem. Ransomware is turning into a big business."
Healthcare organizations have a long history of not investing enough in cybersecurity, according to Charles Goldberg, data security expert at e-security group Thales. Along with investing more resources, there needs to be a change in thinking at the board level, he said.
"This concept around perimeter security and network security, that’s not working. And these ransomware attacks start with an email, a phishing scam, but it can't ensure that every single employee is going to do the right thing every time and a hacker only has to get it right once," he said.
Rather, health systems should focus on multifactor authentication to make it harder for hackers to steal credentials, then encrypt all healthcare data and implement better access control to limit who can access the data, Goldberg said.
"We tell kids not to play with matches, but we first hide the matches before we teach them that," he said.
As a new wrinkle, the U.S. Department of the Treasury’s Office of Foreign Assets Control issued Thursday an advisory to alert companies that might pay ransomware attackers of the potential sanctions risks for facilitating ransomware payments.
This means that cyber insurance firms and companies involved in digital forensics should cautiously consider any payments to ransomware attackers, Zick said.
Zick recommends health systems conduct penetration testing to find weaknesses in their IT security and to back up their data. "That way, if the bad guys get to you, it’s not going to be a big deal."