Breach shuts off computers at six area hospitals
Computers were offline Sunday and Monday at six Las Vegas-area hospitals as Universal Health Services facilities across the U.S. and Britain responded to an unspecified “security issue,” according to company statements.
UHS, which operates Valley Health System hospitals in the Las Vegas Valley, is using “established offline documentation methods” until the issue is resolved, the statements add, and “no patient or employee data appears to have been accessed, copied or otherwise compromised.”
Valley Health System facilities include Centennial Hills Hospital Medical Center, Desert Springs Hospital Medical Center, Henderson Hospital, Spring Valley Hospital Medical Center, Summerlin Hospital Medical Center and Valley Hospital Medical Center.
Valley Health System spokeswoman Gretchen Papez said she had no comment beyond a written statement.
UHS, a Fortune 500 company with 90,000 employees, said “patient care continues to be delivered
safely and effectively.”
The Pennsylvania-based company provided no details, but people posting to an online Reddit forum who identified themselves as employees said the chain’s network was hit by ransomware overnight Sunday.
The posts echoed the alarm of a clinician at a UHS facility in Washington, D.C., who described to The Associated Press a mad scramble, including anxiety over determining which patients might be infected with the virus that causes COVID-19.
John Riggi, senior cybersecurity adviser to the American Hospital Association, called it a “suspected ransomware attack,” adding that criminals have been increasingly targeting the networks of health care institutions during the coronavirus pandemic.
Ransomware is a growing scourge in which hackers infect networks with malicious code that scrambles data. They then demand payment to restore services.
Cybersecurity expert Scott Howitt said the thrust of a ransomware attack typically is to cripple a computer system’s availability rather than to steal data. Howitt, who had no firsthand information about the incident, said it appeared that “back-office systems” were affected and not direct patient care technology such as heart pumps and EKG monitors.
This month, the first known fatality related to ransomware occurred in Duesseldorf, Germany, after an attack caused IT systems to fail and a critically ill patient needing urgent admission died after she had to be taken to another city for treatment.
The Washington clinician de
scribed a high-anxiety scramble to handle the loss of computers and some phones starting Sunday. The person, involved in direct patient care, was not authorized to speak publicly and described the chaotic situation on condition of anonymity.
The loss of computer access meant that medical personnel could not easily see lab results, imaging scans, medication lists and other critical pieces of information that doctors rely on to make decisions. Phone problems complicated the situation, making it harder to communicate with nurses.
“These things could be life or death,” the clinician said.
The facility has a “downtime protocol,” in which everything is supposed to be done with paper and pencil, the staffer added, “but no one was expecting to have to use it.” Lab orders had to be hand-delivered.
“We are most concerned with ransomware attacks, which have the potential to disrupt patient care operations and risk patient safety,” said Riggi, the cybersecurity adviser to hospitals. “We believe any cyberattack against any hospital or health system is a threat-to-life crime and should be responded to and pursued as such by the government.”
In the U.S. alone, 764 health care providers were victimized last year by ransomware, according to data compiled by the cybersecurity firm Emsisoft. It estimates the overall cost of ransomware attacks in the U.S. to be $9 billion a year in terms of recovery and lost productivity.
For those unwilling to pay ransoms, the only way to effectively recover is through diligent daily system data backups.