Recently, one of the largest healthcare service providers, Universal Health Services, suffered a ransomware attack against multiple locations around the United States. According to UHS employees, locations in California, Florida, Texas, Arizona, and Washington DC were impacted, leaving them unable to access their computers and phone systems. The systems were affected by a ransomware known as Ryuk. Ryuk made headlines in the fall of 2019
This most recent incident comes less than two weeks after a ransomware attack in Germany. That attack resulted in the death of a patient, after the affected hospital had to divert ambulances to other hospitals. UHS has had to divert patients to other hospitals as well, and since the attack began there have been four deaths as doctors awaited lab results. It has not been verified that these deaths were directly due to the ransomware attack, however this most recent attack, coupled with the incident in Germany, will hopefully shine a light on the severity of cyberattacks and more specifically ransomware. If healthcare providers don't take cybersecurity seriously, these incidents will continue to happen, and unfortunately, they're going to get worse.
In the early days of the pandemic, many ransomware groups came forward to pledge that they would not attack healthcare providers during this time. One such group know as Maze pledged in March of 2020 to take it easy on the healthcare industry. Whether or not these groups can be trusted is TBD. However, the Ryuk group responsible for this attack was not one of them, and several groups have already gone back on their word. It's a nice sentiment, but it does not mean that security professionals can relax their posture, it's always better to be safe than sorry. We can't let our guards down, especially at a time like this.
UHS has turned to its backup processes that include offline documentation for methods of treatment to continue safely and effectively caring for patients the best that they can. Unfortunately, this greatly slows down patient treatment.
According to cybersecurity professionals, it's believed that the attack started as a phishing scam. The Andriel intelligence platform detected trojans affecting UHS throughout 2020 and as recently as September. To get technical for a moment, the Emotet used in the phishing emails is also installing a Trickbot, which allows attacker to open a reverse shell to the attackers after sensitive information is harvested from the compromised networks. Once in the network, the attackers can gain administrative credentials and then deploy the ransomware payloads on network devices using PSExec. With this being a ransomware attack, there is a good chance that patient and employee data was stolen as well, increasing the damages.
The reality is that incidents like this one are often avoidable. It just takes an investment into cybersecurity, but when valuable data and even lives are on the line, it’s a worthy investment. Some proactive measures can be taken to avoid this type of attack.
As technology advances, so do cybercriminals, and the trend doesn’t seem to be slowing down any time soon. That’s why our cybersecurity tactics must also advance in turn to keep up with the ever-changing threat landscape. Hospitals should become more technologically advanced to provide better and more efficient healthcare to their patients but in order to do that, they have to understand the risks involved and how to remediate them. Otherwise, they’ll continue to be the hardest hit industry when it comes to cyberattacks.
Learn more about how TechGuard Security can help your organization avoid a cyber incident.