There are major concerns for the health of patients across America and beyond after one of the nation’s largest hospital providers was struck by an apparent ransomware attack over the weekend.
Universal Health Services (UHS) claims to operate around 400 acute care hospitals, behavioral health facilities and ambulatory centers across the US, Puerto Rico and the UK.
It posted a brief statement on Monday morning Eastern Time admitting that its IT network across all UHS facilities is currently offline due to an “IT security issue."
“We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible,” it continued.
“In the meantime, our facilities are using their established backup processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”
Given its reference to backup processes, the incident seems very much like a ransomware attack. It also fits the classic ransomware MO of attacking targets at the weekend when technical support may take longer to rally, and of targeting healthcare organizations that have much to lose from refusing to pay.
In fact, Microsoft revealed in April that ransomware gangs were deliberately targeting the healthcare sector during the COVID-19 crisis.
Reports on social media suggest that some patients are being redirected to other hospitals, as UHS continues to tackle the IT incident.
Fresh in the mind is an incident in Germany earlier this month when a patient died after delays to her treatment caused by a ransomware attack.
There will also be concerns about the security of patient data at UHS hospitals, given many ransomware gangs now also steal information in a bid to force payment.
However, UHS claimed: “No patient or employee data appears to have been accessed, copied or misused.”
There was a 20% increase in ransomware attacks in the first half of 2020, to top 121 million, according to SonicWall.
Daniel Norman, senior solutions analyst at the Information Security Forum, argued that the healthcare sector has an outdated approach to cybersecurity.
“With this industry adopting new and emerging technologies, the requirement to educate and train the entire workforce on a range of cyber-risks and threats is urgent. In addition, the safety and wellbeing of patients has historically been the top priority, so this mindset needs to translate into the security of systems and devices that will underpin the lives of many,” he added.
“Basic cyber-hygiene standards need to be met, covering patching and updates, network segmentation, network monitoring and hardening, especially for technologies such as AI, robotics and IoT devices. Privacy should also be a high priority for anyone handling sensitive information, considering the shift towards storing patient records online.”