Ransomware Wave Hits Healthcare, as 3 Providers Report EHR Downtime

October 29, 2020 - The FBI is investigating an ongoing wave of cyberattacks, including Ryuk ransomware, trouncing US hospitals, health systems, and other providers. At least three systems have already been driven into EHR downtime this week: University of Vermont Health Network, New York-based St. Lawrence Health System, and Sky Lakes Medical Center in Oregon.

Sonoma Valley Hospital also recently reported it was operating under EHR downtime procedures after a security incident more than two weeks ago.

UVM Health Network is currently investigating a significant and ongoing system-wide network issue, causing a massive outage and thought be a cyberattack, according to local news outlet NBC5. Officials don’t know how long recovery efforts will take, but at least six hospitals have been affected. 

Access to the health system’s MyChart Patient Portal is also down, while it appears the UVM Medical Center has been hardest hit by the event. Elective procedures scheduled for Thursday, October 29, will need to be rescheduled, as the patient medical records system went down in the attack. 

Central Vermont Medical Center and Champlain Valley Physicians Hospital were also affected but continue to maintain all patient care services. However, some patients may experience delays. The other UVM Health Network sites continue to maintain all patient services. 

READ MORE: Ransomware Hacking Groups Steal, Leak Data From 3 More Providers

UVM Health Network is working with federal law enforcement to investigate the scope and source of the event. 

Meanwhile, Sky Lakes Medical Center released a statement reporting it had fallen victim to a ransomware attack on Tuesday, which compromised its computer systems. Patients were told that “communications with the medical center will be a little complicated until we can get our systems operating again.”  

Emergency and urgent care sites remain open to patients, and many scheduled procedures will proceed despite the attack. 

“Our entire Sky Lakes team is working to counter this attack, and we will keep you updated on the ongoing details of our efforts to return business back to normal,” officials said in a statement. “Please be patient. We are working to ensure all medical needs are taken care of during this time. Sky Lakes is open and, as always, safe and is here to care for you.” 

New York-based St. Lawrence Health System was also hit with a ransomware attack on Tuesday, which officials confirmed is Ryuk ransomware. The attack was detected in a matter of hours. 

READ MORE: US Ransomware Attacks Doubled in Q3; Healthcare Sector Most Targeted

The IT department disconnected all systems and shut down the impacted network to prevent further proliferation. All sites are operating under established backup processes, including EHR downtime and offline documentation methods. Patient care is continuing at all sites, but ambulances were diverted for a short amount of time at some facilities. 

The New York State Department of Health confirmed the attack to local news outlet WWNYTV, which has been communicating with the health system amid the attack. Further, St. Lawrence County Emergency Services Department said there will be complete diversion until further notice. 

The health system is working to reboot its systems and operations on a progressive schedule. 

“Ryuk has a long and inglorious record of attacks on public sector bodies, including hospitals, which has resulted in multiple agencies in multiple countries issuing alerts,” Brett Callow, Emsisoft Threat Analyst, told HealthITSecurity.com. 

“Based on the very limited amount of information publicly available at this point, I cannot say whether this is an out of the ordinary event or simply a case of business-as-usual - albeit somewhat unusual in that a number of providers appear to have been hit in fairly quick succession,” he added. “In at least one cases, it appears that ambulances are being diverted to other facilities and, as history has proven, that can have fatal consequences. Let’s hope that a tragedy is avoided this time.” 

Joint Alert

Calling the increased cyberattacks “imminent,” the joint alert from the Department of Homeland Security Cybersecurity and Infrastructure Agency, the FBI, and the Department of Human Services sheds light on the threat and what entities must do to manage the risk of ransomware and other cybercrimes.

Ryuk ransomware has pummeled the healthcare sector, predominantly targeting larger organizations or distributed networks of entities through their IT MSPs or hosting internet service providers. 

The human-operated ransomware group is behind some of the biggest healthcare attacks in the last year, including DCH Health System in Alabama, Universal Health Services, Valley Health System, and Nebraska Medicine. Ryuk and Sodinokibi are frequently named the most predominant ransomware variants. 

There’s been a resurgence in Ryuk attacks during the third quarter of 2020, with Check Point observing an average of 20 organizations attacked each week and a specific spike of attacks on the healthcare sector. 

“Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines,” Jeff Horne, Ordr CSO, previously told HealthITSecurity.com. 

“Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents, and compromised accounts,” he added. 

According to the latest CISA alert, hackers are targeting the healthcare and public health sectors with Trickbot malware, which often leads to ransomware attacks, data theft, and a disruption of healthcare services. 

Trickbot is commonly paired with Ryuk and was updated in June to better evade detection, leaving no trace on a victim’s network and will disappear after a reboot or shutdown. The hacking trojan is designed to steal information and create backdoor access used by hackers to distribute malware. 

Ryuk ransomware actors added Trickbot to their arsenal in January 2019. The CISA alert noted that the backdoor allows victim machines to communicate with the C2 servers over DNS traffic to evade typical network defense products and to make malicious communications blend with legitimate DNS traffic. 

Further, Ryuk will commonly use commercial, off-the-shelf products to steal credentials, quickly mapping the network to enumerate the network and understand the scope of the infection. The threat actors have been known to “live off the land,” sometimes using native tools to locate mapped network shares, domain controllers, and active directory. 

The hackers have even been known to “attempt to shut down or uninstall security applications on the victim systems that might prevent the ransomware from executing. Normally this is done via a script, but if that fails, the attackers are capable of manually removing the applications that could stop the attack.” 

In light of the COVID-19 pandemic response, these attacks will pose even greater challenges for providers. As such, administrators must balance this risk when outlining cybersecurity investments. 

“Speaking as a physician in the cybersecurity space, it’s clear to me that attackers now understand that exploiting clinical risk and patient safety are the key factors to cause the disruption they need and achieve the outcomes they want,” Saif Abed, founding partner and director of cybersecurity advisory services of the AbedGraham Group, told  HealthITSecurity.com 

“This advisory reinforces a damaging trend afflicting the health sector in the US and across the world,” he added. “Policymakers and health system leaders at the boardroom level need to reevaluate their security strategies and investments across people, processes and technology otherwise we will increasingly measure ransomware attacks in morbidity and mortality.” 

Mitigation

According to the Cyber Centre, there have been multiple recently reported, high profile instances of Ryuk ransomware attacks on a range of entities, including public health and safety organization and municipal governments in Canada and abroad. 

The security agency has assessed these attacks and determined they are indeed a part of a larger international Ryuk campaign that may be targeting additional sectors. At least 62 healthcare providers and systems have been impacted by ransomware in 2020, and so far in October, at least eight providers have fallen victim. 

The alert urged healthcare entities to maintain business continuity plans to minimize service interruptions, as “without planning, provision, and implementation of continuity principles, organizations may be unable to continue operations” 

Administrators should evaluate continuity and capability to identify any continuity gaps, which can help organizations establish a viable continuity program to ensure the facility can function amid cyberattacks and other emergencies. The alert also reminded organizations of network and ransomware best practices, as well as the need for improved user awareness. 

HHS, FBI, and CISA reminded organizations to review or establish patching plans, security policies, and user agreements to ensure they are fully addressing the current threats posed by hackers. Notably, ransomware attacks cause an average of 15 days of downtime, which could be critical amid the pandemic response. 

Organizations are also encouraged not to pay ransom demands, as it does not guarantee files will be recovered and it will embolden hackers to target more entities. 

“As we have said before, the only way to stop ransomware attacks is to prohibit the payment of ransom demands,” Callow said. “If the flow of cash stops, the attacks will stop, and patients will not be put at risk. It’s as simple as that.” 

Healthcare organizations can review a host of provided ransomware guidance from Microsoft and the Office for Civil Rights to ensure they know how to best defend against these attacks. 

• Tagged
• Cybersecurity
• Endpoint Security
• HHS
• Interviews
• Ransomware