South Florida Sun-Sentinel (Sunday)

Hospitals are facing threats of cyberattac­k

As virus surges, patient informatio­n becomes valuable

- By Marion Renault andWilson Ring

BURLINGTON, Vt. — By late morning on Oct. 28, staff at theUnivers­ity ofVermont Medical Center noticed the hospital’s phone system wasn’tworking.

Then the internet went down, and the Burlington­based center’s technical infrastruc­turewith it. Employees lost access to databases, digital health records, scheduling systems and other online tools they rely on for patient care.

Administra­tors scrambled to keep the hospital operationa­l — canceling nonurgent appointmen­ts, reverting to pen-and-paper record keeping and rerouting some critical care patients to nearby hospitals.

In its main laboratory, whichruns about8,000tests a day, employees printed or hand-wrote results and carried them across facilities to specialist­s. Outdated, internet-free technologi­es experience­d a revival.

“Wewent around and got every fax machine that we could,” said UVM Medical Center ChiefOpera­ting Officer Al Gobeille.

The Vermont hospital had fallen prey to a cyberattac­k, becoming one of the most recent and visible examples of a wave of digital assaults taking U.S. health care providers hostage as COVID-19 cases surge nationwide.

The same day as UVM’s attack, the FBI and two federal agencies warned cybercrimi­nals were ramping up efforts to steal data and disrupt services across the health care sector.

By targeting providers with attacks that scramble and lock up data until victims pay a ransom, hackers can demand thousands or millions of dollars and wreak havoc until they’re paid.

In September, for example, a ransomware attack paralyzed a chain of more than 250 U.S. hospitals and clinics. The resulting outages delayed emergency roomcare and forced staff to restore critical heart rate, blood pressure and oxygen levelmonit­ors with ethernet cabling.

Ransomware is also partly to blame for some of the nearly700p­rivate health informatio­n breaches, affecting about 46.6 million people and currently being investigat­ed by the federal government. In the hands of a criminal, a single patient record — rich with details about aperson’s finances, insurance and medical history — can sell for upward of $1,000 on the black market, experts say.

Over the course of 2020, many hospitals postponed technology upgrades or cybersecur­ity training that would help protect them from the newest wave of attacks, said health care security expertNick Culbertson.

“The amount of chaos that’s just coming to a head here is a real threat,” he said.

With COVID-19 infections and hospitaliz­ations climbing nationwide, experts say health care providers are dangerousl­y vulnerable to attacks on their ability to function efficientl­y and manage limited resources.

Even a small technical disruption can quickly ripple out into patient care when a center’s capacity is stretched thin, said Vanderbilt University’s Eric Johnson, who studies the health impacts of cyberattac­ks.

“November has been a month of escalating demands on hospitals,” he said. “There’s no room for error. Fromahacke­r’s perspectiv­e, it’s perfect.”

Since the attack, the Burlington-based hospital network has referred all questions about its technical details to the FBI, which has refused to release any additional informatio­n, citing an ongoing criminal investigat­ion. Officials don’t believe any patient suffered immediate harm, or that any personal patient informatio­n was compromise­d.

But the hospital is still recovering.

Oncologist­s could not access older patient scans which could help them, for example, compare tumor size over time. And, until recently, emergency department clinicians could take X-rays of broken bones but couldn’t electronic­ally send the images to radiologis­ts at other sites in the health network.

“We didn’t even have internet,” said Dr. Kristen DeStigter, chair of UVM Medical Center’s radiology department.

Soldiers with the state’s National Guard cyber unit have helped hospital IT workers scour the programmin­g code in hundreds of computers and other devices, line-by-line, to wipe any remaining malicious code that could reinfect the system. Many have been brought back online, but others were replaced entirely.

It will be a scramble for other health care providers to protect themselves against the growing threat of cyberattac­ks if they haven’t already, said data security expert Larry Ponemon.

“It’s not like hospital systems need to do something new,” he said. “They just need to dowhat they should be doing anyway.”

Newspapers in English

Newspapers from USA