On Oct. 28, 2020, the information technology (IT) desk at the University of Vermont (UVM) Medical Center began receiving dozens of calls from staff complaining of strange computer access problems. Concerned, team members at the Burlington-based center started looking for signs of malicious software — and quickly found a file with instructions to contact the alleged perpetrators of the cyberattack.
The center instead locked down email, internet access, and major chunks of the organization’s computer network to prevent further damage.
For nearly a month, UVM Medical Center employees couldn’t use electronic health records (EHRs), payroll programs, and other vital digital tools. For days, staff didn’t even know which patients were scheduled for appointments. Many surgeries had to be rescheduled, and cancer patients had to go elsewhere for radiation treatment.
Though the center never paid a ransom, the attack cost an estimated $50 million, mostly from lost revenue, says UVM Health Network Chief Medical Information Officer Doug Gentile, MD. And it took IT staff three weeks working 24/7 to scrub network systems and restore thousands of affected computers.
Gentile extends this advice to all hospitals: “If cybersecurity isn’t one of your top two priorities, it needs to be,” he says. “If you don’t have a very robust security profile, you’re likely to get hit.”
“Hospitals’ systems were already fragile before the pandemic. Then the ransomware attacks became more varied, more aggressive, and with higher payment demands.”
Head of the Cybersecurity and Infrastructure Security Agency (CISA) COVID-19 task force
The ransomware attack on UVM Medical Center is like numerous others that have hit hundreds of hospitals in recent years: Hackers gain entry to a computer system, encrypt the files that run it, and then demand payment for a decryption key to unlock access.
Corporations worldwide have experienced an increase in ransomware attacks in recent months — Colonial Pipeline and the JBS meatpacking plants among them — and health care is one of the industries hit particularly hard.
“Hospitals’ systems were already fragile before the pandemic,” notes Josh Corman, head of the Cybersecurity and Infrastructure Security Agency (CISA) COVID-19 task force. “Then the ransomware attacks became more varied, more aggressive, and with higher payment demands.”
In fact, more than 1 in 3 health care organizations globally reported being hit by ransomware in 2020, according to a survey of IT professionals. What’s more, the sector experienced a 45% uptick just since November 2020, according to HealthITSecurity.
“Attackers understand that we’re talking about life and death,” says Amar Yousif, MBA, chief information officer at UTHealth in Houston. “There’s a great incentive to just pay and get the thing unlocked so we can treat patients.”
But hospitals are not helpless against high-tech extortionists. An arsenal of tools can help prevent — or address — ransomware attacks. All the measures take time and money, though.
“Health care organizations tend to defer cybersecurity investment. It can be hard to divert resources to information security if it seems to come at the expense of patient services,” says Stephen Lopez, PhD, MBA, AAMC senior director of information security. “But in this environment, patient services are at risk if organizations put off guarding against ransomware.”
Hospitals in the crosshairs
What has become clear in recent years, according to experts, is that hospitals are under relentless attack.
“Cybercriminals try every hospital, every day; every computer, multiple times a day,” notes Dean Sittig, PhD, professor of biomedical informatics at the School of Biomedical Informatics at UTHealth in Houston.
And it can take just one employee falling for a fake email to send malicious code speeding through a network in search of additional weaknesses to exploit.
Pandemic-related changes only heightened vulnerabilities. Telemedicine and remote work added new ways into systems, and economic setbacks led some hospitals to lay off and/or furlough cybersecurity staff. “There was more to defend combined with less ability to defend it,” Corman says.
The extent and impact of a successful attack can be huge. More than 600 U.S. health care organizations and more than 18 million patient records were affected in 2020 alone at an estimated cost of nearly $21 billion, according to one study. When Universal Health — a major hospital chain operating in several states — was attacked last fall, it had to relocate surgical patients and divert ambulances to other hospitals.
“Cybercriminals try every hospital, every day; every computer, multiple times a day.”
Dean Sittig, PhD
Professor at UTHealth School of Biomedical Informatics
Some types of hospitals are particularly vulnerable for a variety of reasons, experts note.
“There may be one [rural] hospital serving six counties with thousands of people, and geographically, there’s just no other option if it’s hit,” says Jack Kufahl, chief information security officer at Michigan Medicine. “That’s a real danger.”
Teaching hospitals that perform biomedical research also may be more at risk, as the research process typically requires a greater flow of information and data within and between organizations, increasing opportunities for computer systems to be compromised.
And while stand-alone hospitals can take a top-down approach to cybersecurity, teaching hospitals need to cultivate the creativity and autonomy suitable for an academic environment, Kufahl explains.
“[Teaching hospitals] have small outbreaks of ransomware all the time and we regularly contain them,” he adds, making a comparison to the weather. “Those are just like a light rain shower. The question is whether you could survive a complex ransomware attack that’s more like a tornado.”
Battling the bad guys
Of course, hospitals can take crucial steps to help defend themselves against cybercriminals.
Strong firewalls and frequent updating of antivirus software are essential, experts explain. But even if something worrisome does slip through, all certainly is not lost.
“Let’s say a staff member gets a locked-up graphic on their screen with text demanding X number of dollars for the decryption key,” says Kufahl. “We tell them we don’t do that. We just contain the attack, rebuild that machine, take steps to prevent similar attacks, and move on.”
Moving on is feasible partly thanks to backup files that IT teams use to restore infected computers. Backing up files is a standard defensive maneuver. The catch, though, is how it’s done.
In an October 2020 document warning health care leaders of imminent ransomware attacks, CISA advised a 3-2-1 backup approach. That’s saving three copies of all critical data in at least two different formats and storing one copy offline, out of reach of malicious code.
Segmentation — the dividing of networks into smaller sections — can further bolster ransomware defenses.
“With segmentation, when you detect ransomware in part of your network, instead of shutting down the entire system, you can quickly quarantine that one segment,” Yousif explains. “If you have 10,000 computers, you can’t have 10,000 networks — but maybe you could have 100 networks.”
Yousif has other digital tricks up his sleeve as well. For example, he hides fake EHRs or medical devices in his computer system that booby-trap malware and then alert IT staff so they can quickly fortify their real assets.
But perhaps the most powerful cybersecurity tool is an institution's human capital, experts suggest.
Kufahl’s approach is to partner with employees. “It’s about treating some of the smartest people you’re going to meet in your life respectfully and as part of the equation,” he says. “You have to remember that they’re not consumers of your security — they’re part of your security.”
Lopez highlights the need to educate staff about telltale signs of phishing emails that hide malicious code. “To be effective, an education program needs to show staff what fake emails look like,” he emphasizes. Often, such messages include an urgent request for sensitive information like a password to avoid the shuttering of an account, which can get recipients to act before thinking.
“If you can increase staff members’ basic ‘security hygiene’ around phishing emails, you can avoid or mitigate most malware attacks,” Lopez says.
When a hospital is held hostage
Sometimes, even the smartest people and toughest technology can’t keep a major ransomware attack at bay.
Then, it’s decision time: Should a hospital pay a ransom that can reach six or seven digits?
“You shouldn’t trust a thief,” says Sittig. “If you send them $100,000 to unlock your system, they may say, ‘Now send me $200,000 more.’ That happens more than you would expect.”
Corman notes that institutions may decide to pay ransoms based on the belief that insurance will cover the costs. But that equation may be changing. “Some insurers are quite unhappy with their payouts, and losing money is not a sustainable model,” he says.
So if paying isn’t the best option, what is?
Federal authorities advise coming straight to them. Not all hospitals do so, Corman explains, often out of a misplaced worry that they’ll be fined for not safeguarding patient records. But his role isn’t that of a police officer or regulator, he notes. “We’re really more like firefighters coming to put out the fire. In fact, safe harbor rules protect against these very concerns.”
“Today, executive literacy around cybersecurity is palpably different. There’s been an extraordinary uptick in support. That gives me a lot of hope.”
Chief information security officer at Michigan Medicine
Experts also urge hospitals to have a plan in place in case they suffer a major cybersecurity attack.
When part of its network was hit in a cybersecurity event in June, University of Florida Health contacted pharmacies to fill in missing medication information and sent patients to outside physicians to ensure continuity of care. Ed Jimenez, CEO of one of the affected hospitals, notes that staff were crucial to getting his institution through. “Our dedicated employees are truly our heroes, as they rose to the challenge of restoring normal operations, often sacrificing time with their loved ones to work extra,” he says.
Kufahl recommends that hospitals have emergency plans that integrate teams far beyond the IT department.
“Legal, communications, procurement — we all need to partner on a shared playbook in case of an attack,” he says. “Hospitals have an incident management process for active shooters, floods, and pandemics. Ransomware isn’t any less special.”
Kufahl says he thinks health care leaders are open to such robust efforts.
Five years ago, IT leaders had trouble convincing CEOs of the crucial need to invest in cybersecurity, he says. “Today, executive literacy around cybersecurity is palpably different. There’s been an extraordinary uptick in support,” adds Kufahl. "That gives me a lot of hope.”