Ransomware Spurs EHR Downtime at UHS Health System, 3 More Providers

By Jessica Davis

September 29, 2020 - Universal Health Services is currently recovering from a ransomware attack across its 400 locations, with facilities leveraging back-up processes and paper documentation to continue safe and effective patient care.

On Sunday, UHS staff took to Reddit to discuss a presumed IT event. The thread details a massive outage with no access to phones, computer systems, internet, or data center. Hospitals reportedly diverted ambulances directly after the attack, while lab test results were delayed.

One anonymous user said the attack occurred around 2AM on Sunday morning. The attack began shutting down systems in the emergency department, quickly proliferating across the network. It appears antivirus was disabled by the attack, and hard drives lit up with activity before all computers shutdown. UHS IT teams directed staff to keep the computers offline.

The attack reached California, Florida, Pennsylvania, and Arizona locations. Staff took screenshots of the event and confirmed it to be a ransomware attack – specifically Ryuk. The variant is known to target the healthcare sector, mostly distributed networks and larger organizations.

“One ransomware variant that is particularly concerning is Ryuk, which has been attributed to North Korean and Russian threat actors. Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines,” explained Jeff Horne, CSO, Ordr.

“Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromised accounts,” he added. “Some threat actors are still piggybacking Ryuk behind some other trojans/bots like TrickBot, QakBot, and Emotet, and some of those can use the EternalBlue vulnerability to propagate.”

Hackers have successfully exploited EternalBlue in hospitals by compromising legacy systems running, Horne noted.

For now, the specific details of the attack are yet to be confirmed and it does not appear that all UHS locations have been impacted. This story will be updated as more information becomes available.

Valley Health System Cyberattack

Las Vegas-based Valley Health System is also recovering from “IT issues” and operating under downtime procedures at six of its locations. Some appointments and elective procedures were canceled due to the incident.

According to its notice, VHS is implementing “extensive IT security protocols” to resolve the issue. Ransomware is suspected, but not yet confirmed.

Ashtabula County Medical Center System Outage

In another similar incident, Cleveland Clinic-affiliate Ashtabula County Medical Center reported a system outage on September 24 that lasted for more than 24 hours.

ACMC launched its downtime procedures to bring systems back online, but some elective procedures and appointments were rescheduled due to the incident. Five ACMC health centers were also impacted by the event, where clinicians could not access lab results, health histories, prescriptions given a lack of computer access.

Again, ransomware is suspected, but it has not yet been confirmed.

Nebraska Medicine Cyberattack

A cyberattack on Nebraska Medicine has caused computer system, EHR, and patient portal access issues for at least two of its locations, including Great Plains Health and hospital branches in Hastings, Norfolk, and Beatrice, first reported by local news outlet NP Telegraph.

While security researchers speculate the outages have been caused by ransomware, for now, Nebraska Medicine officials are calling it a security incident and that they can’t speculate on the nature and scope.

The attack began on Sunday, September 20, which drove the provider into downtime procedures. Nebraska Medicine servers and networks were affected by the incident, but patient care has not been drastically affected. Some nonurgent procedures were postponed, as records could not be accessed.

However, those are being called “isolated cases.” Great Plains Health was hit by a ransomware attack in 2019, which caused similar downtime issues. Officials said they’re using that experience to respond to this similar event.

“We’ve done many things not only around protecting the organization’s data, but also about preparing for downtimes, which is the real disruption,” Great Plains Health CIO Brandon Kelliher, told NP Telegraph. “We’ve had teams meeting ever since December and working on downtime processes.”

“We were planning to test one (in October); however, our test just occurred,” he added. “The real operations of the hospital in downtime situations depend on the people’s willingness to work together, and if there’s one thing hospitals do, it’s that we pull together when there’s a problem. So people are being taken care of and things are getting done.”

For now, it appears that the system will be brought back online within days. And while ransomware is suspected, it has not yet been confirmed.

Maze Hackers Post Data of Pharma Co., Manufacturer

This week, Maze ransomware hackers were also busy: the threat actors posted data allegedly stolen from the pharmacuetical company Humco and WPT Nonwovens, a manufacturer providing healthcare entities with masks and other critical items amid COVID-19.

The screenshots shared with HealthITSecurity.com show the attackers have not yet posted proofs of the data allegedly stolen from WPT, while they've posted 1 percent of the data taken from Humco.

Double extortion attempts are unfortunately becoming par for the course in healthcare. Just two weeks ago, hackers posted data they claim to have stolen from five providers.

Healthcare entities should review ransomware guidance from Microsoft, the Office for Civil Rights, and NIST to better understand how to prevent these increasingly sophisticated attacks.

Latest Health Data Breaches News