Kronos Cyberattack Takes Down Healthcare Workforce Management Services

December 16, 2021 - HR management solutions provider Kronos, also known as Ultimate Kronos Group (UKG), fell victim to a ransomware attack that impacted healthcare workforce management and payroll services. In a blog post, Kronos said that it will be weeks before its Kronos Private Cloud solutions will be running smoothly again.

The attack occurred on December 11 and impacted only the Kronos Public Cloud (KPC) portion of the business, which includes its Healthcare Extensions, Banking Scheduling Solutions, UKG Workforce Central, and UKG TeleStaff offerings.

Services that were not using the Kronos Private Cloud were not impacted, including UKG Ready, UKG Dimensions, and UKG Pro.

Kronos has a multitude of healthcare clients, along with high-profile clients in the car manufacturing industry, education, and local government.

Shannon Medical Center in San Angelo, Texas confirmed that it had been impacted by the Kronos cyberattack and has since implemented payroll downtime procedures, the San Angelo Standard-Times reported.

READ MORE: Majority of Patients Don’t Trust Healthcare Providers to Handle PII

Shannon Medical Center uses Kronos services for timekeeping and scheduling, and a spokesperson told the San Angelo Standard-Times that the medical center’s goal is to ensure all its employees are paid according to schedule.

Baptist Health and UF Health, both Florida-based hospitals, were impacted by the Kronos breach, according to WJAX. All three hospitals said that they have taken steps to ensure that they can process payroll so that employees will be paid on time.

Indianapolis-based Ascension St. Vincent Hospital told Fox affiliate WXIN that it had also been impacted by the attack.

“Like many companies, we have been impacted by the ransomware attack on Kronos,” a public relations specialist told WXIN.

“While Kronos is working to address system issues, we have put in place alternate systems to track time and process payroll as scheduled.”

READ MORE: Severe Apache Log4j Vulnerabilities Could Result in Healthcare Cyberattacks

The City of Cleveland also notified the public that its timekeeping services had been impacted by the breach, according to WKYC Studios. In addition, the City of Springfield, Massachusetts announced that it will implement contingency plans to make sure employees continue to receive their paychecks following the Kronos attack, MassLive reported.

At least in the case of the City of Cleveland, some employee names, addresses, employee IDs, and last four Social Security digits may have been compromised. It is likely that more organizations will come forward in the coming days and weeks.

The Kronos website says that KPC undergoes regular security examinations from independent auditors.

“The security architecture has been designed to control appropriate logical access to the KPC utilizing two-factor authentication when accessing the infrastructure,” the website states.

“This authentication technology helps mitigate a number of security risks associated with logging into the infrastructure. A centralized secure file transfer solution facilitates data transfers between the customer and KPC. This solution provides for an encrypted transmission and logging of all files transferred into or out of a customer environment.”

READ MORE: Weak Passwords, Poor Cyber Hygiene Invite Healthcare Data Breaches

Cybercriminals are increasingly targeting third-party vendors, largely because it expands their attack surface and scope by allowing them to disrupt thousands of businesses at once.

“A lack of the availability of those services could be quite disruptive for health care providers, many of whom are experiencing surges of COVID-19 and flu patients. We have received several reports from the field indicating that some hospitals and health systems have been impacted by this ransomware attack against Kronos," John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association (AHA), said in a statement.

"This attack once again highlights the need for robust third-party risk management programs that identify mission-critical dependencies and downtime preparedness. If mission-critical third-party services are made unavailable due to a cyberattack, it may result in disruptions to hospital operations. As such, we urge all third-party providers that serve the health care community to examine their cyber readiness, response and resiliency capabilities.” 

Recent guidance from the Cloud Security Alliance (CSA) warned healthcare organizations about the growing threat of ransomware in the healthcare cloud. Cloud storage may give organizations an advantage when it comes to data protection, but that does not mean that it is immune to cyberattacks.

CSA recommended installing endpoint protection, filtering incoming and outgoing emails to detect threats, and employing network segmentation to ensure separation between IT and networked medical devices.

“Malware detection, behavior-based anomaly detection, and intrusion detection are all used for event detection. The goal is to detect events as they happen, to trigger the appropriate responses, and to provide information about the attack to the security team,” the report explained.

This story was originally published on 12/15/21. It has been updated to reflect recent developments.