UVM Health Brings EHR Back Online, One Month After Ransomware Attack
The latest ransomware update shows multiple health providers are continuing to operate under EHR downtime procedures following attacks; UVM Health Network restored EHR access.
By - The University of Vermont Health Network restored access to its Epic EHR, following a month of downtime procedures brought on by a massive ransomware attack across its care network.
A November 24 update reports access has been restored to its electronic medical record system at the UVM Medical Center inpatient and ambulatory sites, as well as the ambulatory clinics at Central Vermont Medical Center, Champlain Valley Physicians Hospital, and Porter Medical Center.
“Bringing Epic back online means our staff will no longer need to manually log patient information, and medications, treatment, and clinical orders can be recorded electronically once again,” officials said in the update.
“This is a significant step forward and will improve our operations, however, much work remains ahead and our teams continue to work around the clock towards full restoration as quickly and safely as possible.
The health system has been operating under EHR downtime procedures after a ransomware attack caused a massive system-wide network outage across six UVM Health care sites during the week of October 25.
READ MORE: UPDATE: Luxottica Data Leaked by Hackers After Ransomware Attack
The main campus medical center was the hardest hit by the attack, while electronic communications across the UVM Health network were also disrupted by the attack. The radiology department faced appointment delays and was only open on a limited basis.
Given the severity of the attack and the COVID-19 response, the governor of Vermont deployed the Army National Guard’s Combined Cyber Response Team to UVM Health on November 5 to assist with recovery efforts, which allowed for significant progress with recovery efforts in the days that followed.
As it stands, UVM Health is continuing restoration efforts on its patient-facing applications, including its MyChart patient portal, which is still unavailable. Officials said there’s still a significant amount of work ahead in terms of recovery. The health system is continuing to work on restoring patient-facing application, while working with the FBI on its investigation.
Update on Ransomware-Driven EHR Downtime
UVM was one of several health systems hit with ransomware around the same timeframe, which prompted a joint federal alert on a ransomware wave impacting the sector.
St. Lawrence Health System was among the impacted hospitals, but the New York provider restored EHR access during the week of November 9.
READ MORE: ASPR Warns Ransomware Threat is Persistent, as Actors Leak More Data
Sky Lakes Medical Center was the third provider hit during the initial wave, but no updates have been reported since November 7, where officials said they were expecting a detrimental financial impact from the ransomware attack as they’re replacing most of its networks, systems, and workstations.
Earlier in October, Sonoma Valley Hospital was also driven to EHR downtime by a ransomware attack. The last update on November 13 revealed the provider was continuing its recovery efforts while operating under its business continuity plan.
The final provider impacted by the wave of cyberattacks, Dickinson County Healthcare System, is still continuing its recovery efforts. On November 19, local news outlet Upper Michigan Source reported that the provider has about 5 percent of its systems left to recover, as it is building an enhanced cybersecurity infrastructure following the attack in mid-October.
Lastly, one of the first providers to be impacted with ransomware this fall, Ashtabula County Medical Center in Ohio, is still working to bring its systems back online more than two months after the attack, according to local news outlet Star Beacon.
The latest update revealed that officials don’t expect full system recovery until the end of the year -- a concerning statistic, as ACMC has seen massive patient volumes amid the COVID-19 outbreak.
Griffin Hospital Website Outage
READ MORE: Required Actions to Prevent Common Ransomware Exploits, Access Points
Connecticut’s Griffin Hospital was forced to create a temporary, alternative website, after a ransomware attack on its site administer, Managed.com, brought down its official webpage. Managed.com is a web hosting company.
On November 16, Managed.com suffered a REvil ransomware attack, which affected a number of its clients’ websites. However, the service provider took down the entire system to prevent the attack from spreading to other clients.
Griffin Hospital was among those affected. Users who entered the hospital's URL found error messages, rather than the webpage. No patient information was impacted during the incident, and the website has since been restored.
Four Winds Hospital Reports Breach Tied to Ransomware Attack
New York-based Four Winds Hospital is notifying an undisclosed number of patients that their patient data was potentially compromised during a ransomware attack in September.
The attack hit on September 1, which officials said blocked access to the network for two weeks. Upon discovery, the hospital contacted state regulators and federal law enforcement agencies and launched an investigation, once the security team blocked system access from the hackers.
The investigation determined the attackers obtained patient data during the attack, but “obtained evidence that the cybercriminals deleted any files in their possession, although that evidence cannot be independently verified.”
As recently reported by Coveware, any evidence provided by hackers that they’ve deleted or destroyed stolen data is unreliable. Data exfiltration and extortion occur in about 50 percent of all ransomware attacks.
According to the notice, hackers did not access encrypted data fields, emails, or any information in the hospital’s cloud-based and encrypted programs, nor was the patient EMR accessed during the attack.
Rather, the hackers accessed password-protected data files. Officials said they conducted a file-by-file search to determine which files contained patient data and determined some information was potentially accessed when the hackers retained possession of the files.
The data included lists of patients from 1983 to the present and involved names and medical record numbers, as well as 100 records that contained Social Security numbers.
“Some files dating back to 2013 that contained miscellaneous documents that included limited patient treatment information and the SSN of patients who were Medicare members admitted earlier than 2019 during the time that Medicare cards displayed that number,” officials explained.
Healthcare providers should review ransomware attack insights from NIST, the Office for Civil Rights, and Microsoft to ensure they've implemented the appropriate controls and preventative measures, as well as offline backups, to avoid falling victim to similar ransomware attacks.
