A University of Vermont Medical Center employee accidentally opened an emailed file from her homeowners association, which had been hacked, in October 2020.
That one mistake eventually led to the University of Vermont Health Network, which includes the state’s largest hospital in Burlington, having to cancel surgeries, put off mammogram appointments and delay some cancer patients’ treatments.
The ensuing ransomware attack had forced officials to shut down all internet connections, including access to patients’ electronic health records, to prevent cybercriminals from doing any more damage.
“Everything was down. So our phones were down. We no longer had fax machines. … You couldn’t use email to communicate,” Dr. Stephen Leffler, the system’s president and chief operating officer said of the attack in a recent podcast by the American Hospital Association. “That first evening, we actually sent people over to Best Buy to buy walkie-talkies.”
In the past few years, a growing number of hospitals and health care organizations across the U.S. have faced cyberattacks, interrupting care and putting patients at risk. That includes some public health facilities run by state or local governments.
“Hospitals have been hit pretty hard with high-impact ransomware attacks during the pandemic,” said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.
Riggi noted that during the pandemic, hospitals have had to rapidly expand network and internet-connected technology and deploy remote systems to support staffers who shifted to telework.
“The bad guys took advantage of that and had more opportunities to get into our networks,” he said.
Ransomware attacks have forced some hospitals to disrupt chemotherapy, delay reporting lab results and postpone appointments for maternity patients.
Some have had to divert ambulances because their emergency rooms couldn’t accept new patients.
“We’ve seen that in multiple ransomware attacks, especially with small hospitals,” Riggi said. “The next ER department could be 125 miles away.”
Just last month, the U.S. Department of Health and Human Services issued a warning about an aggressive ransomware gang that attacks health care organizations. Among its victims: a network of hospitals and clinics in Ohio and West Virginia that had to cancel surgeries and divert patients with emergencies to other facilities.
And with the heightened threat of Russian cyberattacks on the U.S. after the invasion of Ukraine, health care systems are even more vulnerable because they’re considered critical infrastructure, experts say.
“We are not aware of any specific credible direct threats to U.S. hospitals and health care systems,” Riggi said. “But we are concerned that they could become collateral damage in attacks launched by Russia. Or that Russian-speaking gangs will launch retaliatory attacks against the West.”
In February, the U.S. Cybersecurity and Infrastructure Security Agency issued a “Shields Up” warning about the growing Russian cyberthreat to organizations.
Ransomware hijacks computer systems and holds them hostage until the victims pay a ransom or restore the system on their own. It typically spreads through phishing, in which hackers email malicious links or attachments and people unwittingly click on them, unleashing malware.
In 2020 and 2021, there were at least 168 ransomware attacks affecting 1,763 clinics, hospitals and health care organizations in the U.S., according to Brett Callow, a threat analyst for cybersecurity company Emsisoft.
A November survey of 132 health care executives, most from the United States, found that ransomware was the No. 1 cybersecurity threat, more than data breaches or insider threats, according to the Health Information Sharing and Analysis Center, a nonprofit global cyberthreat-sharing group for the health care industry.
“The shift from paper health records to electronic health records has made patient health information more accessible, however, these records are more vulnerable to attacks and are extremely lucrative,” the report noted. It said hackers can demand $50 for a partial health record, versus $1 for a stolen Social Security or credit card number.
Historically, the health care sector has been playing catch-up when it comes to cybersecurity, according to Errol Weiss, the health information-sharing group’s chief security officer.
“The focus was being compliant with [federal requirements related to] the privacy of patient data, not cybersecurity,” Weiss said. “Unfortunately, a lot of health care organizations are not as good as they should have been and were easy prey.”
The pandemic made things worse as hospitals were over capacity and were busy dealing with seriously ill COVID-19 patients.
“It’s been the perfect storm, between the ransomware, all the overcapacity, people stretched thin and how vulnerable the systems were,” Weiss said.
Some cybercriminals deliberately target health care organizations; other attacks are massive phishing campaigns that happen to hook a staffer or contractor and introduce malware into the network, like the University of Vermont Medical Center attack.
The attackers wound up encrypting the hospital’s 1,300 servers and depositing malware on 5,000 devices, said Dr. Doug Gentile, senior vice president for information technology at the University of Vermont Health Network.
The electronic health network was on a separate part of the network, but the team proactively took it down at the main hospital and three other hospitals’ ambulatory clinics to prevent them from being attacked, according to Gentile.
Officials never contacted the cybercriminals or paid any ransom, he said, and no patient data was compromised.
While the hospital had a good computer backup system, it still took 28 days to rebuild the infrastructure and get electronic health records back up, Gentile said. It took several more months to restore the entire system.
For nearly a month, doctors and nurses had to do everything on paper.
“We had just spent a decade getting paper out of our system,” Gentile said. “Suddenly, we had paper everywhere. We had to get file cabinets.”
For younger doctors, it was a learning experience.
“Most of them had never written orders on paper before,” he said. “We had folks going around on the floors helping those folks write orders on paper because newer physicians didn’t know how to do that.”
Another problem: Staffers couldn’t access clinic schedules for patients, so for several days they didn’t know who was scheduled to come or when.
The cyberattack cost the Vermont hospital system about $54 million, including rebuilding the computer network and lost revenue, officials said.
Since the attack, they have beefed up advanced firewall protection and antivirus software and blocked access to personal email on work computers, Gentile said. They also regularly send out phishing emails to staffers as a test.
“This is an ongoing arms war. The groups doing these attacks are very sophisticated, very corporate,” he said. “We are always on high alert, trying to build up our defenses against another attack.”