Las Vegas Review-Journal (Sunday)
Cyberattacks a threat to hospitals
Hackers can demand ransom, wreak havoc
BURLINGTON, Vt. — By late morning on Oct. 28, staff at the University of Vermont Medical Center noticed the hospital’s phone system wasn’t working.
Then the internet went down, and the Burlington-based center’s technical infrastructure with it. Employees lost access to databases, digital health records, scheduling systems and other online tools they rely on for patient care.
Administrators scrambled to keep the hospital operational — cancelling non-urgent appointments, reverting to pen-and-paper record keeping and rerouting some critical care patients to nearby hospitals.
In its main laboratory, which runs about 8,000 tests a day, employees printed or hand-wrote results and carried them across facilities to specialists. Outdated, internet-free technologies experienced a revival.
“We went around and got every fax machine that we could,” said UVM Medical Center Chief Operating Officer Al Gobeille.
The Vermont hospital had fallen prey to a cyberattack, becoming one of the most recent and visible examples of a wave of digital assaults taking U.S. health care providers hostage as COVID-19 cases surge nationwide.
The same day as UVM’s attack, the FBI and two federal agencies warned cybercriminals were ramping up efforts to steal data and disrupt services across the health care sector.
By targeting providers with attacks that scramble and lock up data until victims pay a ransom, hackers can demand thousands or millions of dollars and wreak havoc until they’re paid.
In September, for example, a ransomware attack paralyzed a chain of more than 250 U.S. hospitals and clinics. The resulting outages delayed emergency room care and forced staff to restore critical heart rate, blood pressure and oxygen level monitors with ethernet cabling.
A few weeks earlier, in Germany, a woman’s death became the first fatality believed to result from a ransomware attack. Earlier in October, facilities in Oregon, New York, Michigan, Wisconsin and California also fell prey to suspected ransomware attacks.
Ransomware is also partly to blame for some of the nearly 700 private health information breaches, affecting about 46.6 million people and currently being investigated by the federal government. In the hands of a criminal, a single patient record — rich with details about a person’s finances, insurance and medical history — can sell for upward of $1,000 on the black market, experts say.
Over the course of 2020, many hospitals postponed technology upgrades or cybersecurity training that would help protect them from the newest wave of attacks, said health care security expert Nick Culbertson.
“The amount of chaos that’s just coming to a head here is a real threat,” he said.
With COVID-19 infections and hospitalizations climbing nationwide, experts say health care providers are dangerously vulnerable to attacks on their ability to function efficiently and manage limited
resources.
Since the attack, the Burlington-based hospital network has referred questions about its technical details to the FBI, which has refused to release additional information, citing an ongoing investigation. Officials don’t believe any patient suffered immediate harm, or that any personal patient information was compromised.
But more than a month later, the hospital is still recovering.
Some employees were furloughed for weeks before returning to their regular duties. Oncologists could not access older patient scans. And, until recently, emergency department clinicians could take X-rays of broken bones but couldn’t electronically send the images to radiologists at other sites in the health network.
“We didn’t even have internet,” said Dr. Kristen DeStigter, chair of UVM Medical Center’s radiology department.
It will be a scramble for other health care providers to protect themselves against the growing threat of cyberattacks if they haven’t already, said data security expert Larry Ponemon.
“It’s not like hospital systems need to do something new,” he said. “They just need to do what they should be doing anyway.”