Getty Images

Army National Guard Deployed to UVM to Assist Ransomware Recovery

The Vermont Governor deployed the Army National Guard’s Cyber Response team to the University of Vermont (UVM) Health Network a week after ransomware attack hobbled its network.

Vermont Governor Phil Scott announced the deployment of the Army National Guard’s Combined Cyber Response Team to the University of Vermont Health Network to assist with ransomware recovery efforts, one week after the network fell victim to a massive cyberattack. 

The CCRT consists of soldiers from the 2nd Detachment, 136th Cyber Security Company, and Joint Force Headquarters, Vermont Defensive Cyber Operations Element. The team is designed to respond to state or federal missions and recently participated in Cyber Shield 2020, a national level exercise for honing cyber support abilities. 

The hope is that with the support of CCRT, UVM Health Network will be able to steadily restore systems in a safe and secure manner, Scott explained. Notably, ransomware attacks cause 15 days of EHR downtime, on average. However, recovery efforts for the recent Universal Health Services’ ransomware attack took more than three weeks.  

UVM began investigating a significant system-wide network outage during the week of October 25, which was later found to be caused by a ransomware attack. At least six of its hospitals were affected by the event, with its MyChart Patient Portal and UVM Medical Center experiencing the greatest impact. 

The medical records system went down during the attack, which prompted the delay of some elective care services. Some patient delays were also seen at Central Vermont Medical Center in Burlington and Champlain Valley Physicians Hospital, but all sites continued to fully provide patient care amid the EHR downtime procedures. 

The ransomware has disrupted electronic communications across the network of sites, and the radiology department experienced serious appointment delays, only opening on a limited basis. 

Patient care has been maintained throughout the recovery efforts, but the sites hardest hit by the incident have seen delays in patient operations – especially at the main medical center. 

The latest update told patients: “If you need to schedule a non-urgent appointment or contact us about a non-urgent matter, we ask that you wait until this situation is resolved.”  

According to UVM Health Network President, CEO John Brumsted, MD, recovery efforts are continuing around the clock. And the deployment of the national guard is designed to support these ongoing efforts, which includes a review of thousands of end-user computers and devices to ensure the malware has been completely eradicated. 

Col. Chris Evans, chief information officer, Vermont Army National Guard said the CCRT has been closely working with the UVMHN Information Technology team to implement the best possible support plan. 

“National Guard Cyber Soldiers are trained IT professionals that come with military and industry backgrounds and training,” Evans said in a statement. “This diverse training and experience fosters efficient and effective cyber response teams capable of a wide range of technological security tasks.” 

“The deployment of the Vermont National Guard's CCRT will aid our recovery from this incident, and this team’s expert advice and assistance will bolster our network’s operations going forward,” Brumsted said in a statement. “We will continue to dedicate all available resources to this response until our systems are restored.” 

Ahead of the deployment, Scott issued an executive order on October 31 and the support began on November 4. The order will terminate at midnight on November 8, unless extended by the governor. 

The FBI, the Department of Homeland Security, and the Department of Health and Human Services recently warned the healthcare sector to be on alert and take preventative measures in light of a wave of presumably coordinated ransomware attacks across the country. 

The attack on UVM Health Network occurred during the same timeframe as cyberattacks on Sky Lakes Medical Center in Oregon, St. Lawrence Health System in New York, Sonoma Valley Hospital in California, and Dickinson Country Healthcare System. 

The deployment of Ryuk ransomware has been confirmed at Sky Lakes and St. Lawrence and is also suspected to be behind the UHS attack. But Mount Locker ransomware actors claimed the attack on Sonoma Valley Hospital, leaking “proofs” of data they allegedly exfiltrated during the attack.

It's imperative healthcare entitites review ransomware guidance from NIST, the Office for Civil RIghts, Microsoft, and the FBI to prevent falling victim to ransomware.

Next Steps

Dig Deeper on Cybersecurity strategies