UHS says all U.S. facilities affected by apparent ransomware attack
Universal Health Services said Thursday afternoon that it was continuing its efforts to recover from a security issue that led to a network shutdown throughout its United States facilities.
"The UHS IT Network is in the process of being restored and applications are being reconnected," said a statement on the website of the King of Prussia, Pennsylvania-based hospital chain, which operates some 400 hospitals, outpatient clinics and behavioral health centers across the U.S and in the U.K.
"We have a large number of corporate-level administrative systems, and the recovery process is either complete or well underway in a prioritized manner. We are making steady progress and are confident that we will be able to get hospital networks restored and reconnected soon," said the Pennsylvania-based system.
A spokesperson told the Associated Press that all 250 UHS facilities in the United States were affected.
The health system said in the statement that its major information systems, such as the electronic health record, were not directly impacted and that it was "focused on restoring connections to these systems."
The statement said that it had no indication that any patient or employee data had been accessed, copied or misused. The system's operations in the United Kingdom were not affected.
WHY IT MATTERS
Although UHS did not offer details about the incident, BleepingComputer reported the attack shows signs of being caused by ransomware. An employee told the site that files were being renamed to include the .ryk extension, used by the Ryuk ransomware.
"Ryuk can be difficult to detect and contain as the initial infection usually happens via spam/phishing and can propagate and infect IoT/IoMT devices, as we’ve seen with UHS hospital phones and radiology machines," said Jeff Horne, chief security officer at Ordr, in a statement provided to Healthcare IT News.
"Once on an infected host, it can pull passwords out of memory and then laterally moves through open shares, infecting documents and compromised accounts," Horne continued.
Computer systems at UHS began to fail over the weekend, with some facilities forced to return to pen-and-paper documentation.
The company maintains that patient care continues to be delivered "safely and effectively," but nurses told NBC News earlier this week that they'd had difficulties with an online medication system. A cardiologist at a UHS facility said in a CNN report that he'd had to cancel several surgeries, although patient safety isn't necessarily a problem because of manual systems already in place.
Unfortunately, ransomware can be a life-or-death issue. A German woman died earlier this month after an attack necessitated a move between hospitals, said to be the first fatality linked to a ransomware incident.
THE LARGER TREND
UHS certainly isn't alone. Health systems have repeatedly fallen victim to opportunistic ransomware attacks. Security experts told Healthcare IT News that although there are a few steps an organization can take in a suspected attack – disconnecting a device from a network, for example, and leveraging existing privileged access management. The best response is a robust prevention plan.
"If you have backups, secure them and immediately take them offline until you are able to confirm the depth and scope of the compromise," advised Neal Dennis, threat intelligence specialist at Cyware.
Experts and law enforcement bodies generally don't advise paying the ransom, although it may be warranted in cases of patient safety and vital research. UC San Francisco this summer paid hackers $1.14 million to decrypt data that, it said, was important to its academic work as a "university serving the public good."
ON THE RECORD
"IoMT security is more critical than ever before, as we’ve recently seen patients die as a result of being held hostage," Horne said.
Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Email: kjercich@himss.org
Healthcare IT News is a HIMSS Media publication.