Attack on Universal Health Services a cry for change
A suspected ransomware attack on Universal Health Services is an existential crisis for healthcare organizations that needs to be addressed, according to one security expert.
An IT network for 400 healthcare facilities in the U.S. has been shut down due to malware, and the healthcare services provider is still battling the crippling cyberattack.
Universal Health Services Inc. is a Fortune 500 company and one of the largest healthcare services providers in the U.S., serving 3.5 million patients a year with annual revenues of $11.4 billion for 2019. In a press release, the organization said there is no indication that patient or employee data has been accessed, copied or misused since the attack occurred Sunday. Its acute care and behavioral health facilities are currently relying on backup processes, including offline documentation methods, to deliver patient care.
While Universal Health Services has not released information on the type of malware that has impacted its IT network, cybersecurity professionals have speculated that the provider is a victim of Ryuk ransomware, a type of malware operated by a Russian criminal group that encrypts devices or data and blocks access until a ransom is paid.
The Universal Health Services attack comes on the heels of others, including a ransomware attack on Blackbaud, a cloud-based fundraising software vendor, that has affected millions of patients, and an attack on a hospital in Düsseldorf, Germany, which may be responsible for the death of one patient.
Caleb Barlow
With ransomware attacks becoming more common and more costly, healthcare organizations face an existential dilemma: Step up security measures or continue making themselves vulnerable to the kinds of attacks that can put the lives of patients at risk, according to Caleb Barlow, president of healthcare cybersecurity firm CynergisTek.
"Some attacker, a human halfway around the world, knowingly came after one of the largest health systems in the United States and intended to lock it up to the point at which they would have to divert patients," Barlow said of the Universal Health Services cyberattack. "We have to pause and look at the attacker intent, take a step back and say, 'Are we going to allow this type of thing to continue?' That is a level of potential kinetic impact that I don't think we can accept as a society."
Universal Health Services cyberattack
The Universal Health Services attack is significant not only because of the number of locations impacted, but because employees have reported that, in some cases, patients were diverted to other hospitals, Barlow said.
"If you have 400 facilities start to divert patients, we've got a whole other level of dialogue as a nation that we have to have over this," he said.
Rerouting patients could impact the "golden hour" in emergency medicine, or the time in which EMS teams have to get a trauma patient safely to the hospital, according to Barlow.
Barlow pointed to the incident in Germany, where a patient may have died from a ransomware attack after being denied access to an emergency room and sent to another hospital. But, unlike the Germany incident, he said he is not aware of the attackers sending decryption keys to Universal Health Services, reflecting a lack of compassion by its attackers.
"If you're willing to take down a system of this size in the middle of a global pandemic, all signs of empathy are out the window," he said.
Lee McKnight, associate professor at the Syracuse University School of Information Studies, said the possible Ryuk ransomware attack was not only premeditated but likely seen as lucrative.
"This Ryuk group, these are professionals, this is their day job, this is what they do," McKnight said. "It's called big game hunting ... taking down 400 hospitals at once? This is not just another hit, this is going to be bad."
Now we have to ask a different question: Is it time for us as a society to agree that we're not going to pay these things anymore?
Caleb BarlowPresident and CEO, CynergisTek
Indeed, Barlow said ransomware attacks have evolved rapidly, but healthcare organizations have not adapted to the pace of change. Initially, when attacks first began hitting healthcare systems, the ransom demands were minimal, so the organization could pay the ransom and recoup the losses through insurance. Today, that strategy is no longer affordable, and the only way healthcare organizations can root out the problem is to stop paying ransoms, Barlow said.
"We're now in the realm where these ransom demands are in the millions and we know it's having a kinetic impact on patients' lives," he said. "Now we have to ask a different question: Is it time for us as a society to agree that we're not going to pay these things anymore? The only way we're going to change criminal behavior is to change the economics for the bad guys."
Getting in a better cybersecurity position
One reason healthcare systems fall victim to ransomware attacks is because they are unable to keep up with security investments that rival the innovation and technology of the attacks, Barlow said. But there are things healthcare systems can do to shore up their defenses.
Barlow recommended three steps to better an organization's cybersecurity posture. They are as follows:
Multifactor authentication
Simply put, Barlow said if a healthcare system does not employ multifactor authentication, their systems are not secure. Passwords are notoriously easy to hack and by requiring multiple forms of identification such as a password and a biometric characteristic like a fingerprint, a healthcare system stands a better chance of identifying a bad actor trying to log in to their systems.
Endpoint protection
Especially with so many healthcare employees mostly working from home, Barlow said it's critical that security provisions are implemented directly on the actual endpoint, such as an employee home network and laptop.
Network segmentation
Barlow said this security step is the hardest for healthcare systems to accomplish, but the most crucial. To minimize the damage done during a breach, it's important to keep systems as separated as possible. Network segmentation is one method to employ, which divides a network into segments or subnets that provide for more control between systems. For example, a healthcare system should make sure the emergency room is not on the same network segment as the surgical wing.
Caleb Barlow
