1. Brief description of the story:
2020 was a particularly bad year for healthcare industry ransomware attacks, with one of the worst suffered by the King of Prussia, PA-based Fortune 500 healthcare system, Universal Health Services (UHS). UHS operates 400 hospitals and behavioral health facilities in the United States and United Kingdom, and is one of the largest healthcare providers in the United States. UHS suffered a cyberattack in September 2020 that wiped out all of its IT systems, affecting its hospitals and other healthcare facilities across the country. The attack was attributed to a ransomware attack, and it caused severe operational disruptions, including the shutdown of the hospital’s IT systems, delays in patient care, and the diversion of emergency cases to other healthcare providers. UHS had to revert to manual processes, and many of its clinical systems were rendered inaccessible for a period of time. The ransomware attack impacted patient care, leading to long delays and threatening patient safety.
Resource link: https://www.hipaajournal.com/universal-health-services-ransomware-attack-cost/
https://www.techtarget.com/healthtechsecurity/news/366595382/UHS-Ransomware-Attack-Cost-67M-in-Lost-Revenue-Recovery-Efforts
2. Impact and Consequences of the Data Breach:
Operational Impact: The cyberattack forced UHS to shut down its network of IT systems, resulting in major operational disruptions. The phone system was taken out of action, and without access to computers and electronic health records, employees had to resort to pen and paper to record patient information. This significantly delayed patient care and created inefficiencies in hospital operations.
Patient Care Delays: The attack caused severe delays in patient care. Medical records were inaccessible, diagnostic imaging systems were offline. In the early hours after the attack occurred, the health system diverted ambulances to alternative facilities and some elective procedures were either postponed or diverted to competitors. Patients reported delays receiving test results while UHS recovered from the attack.
Financial Impact: The financial consequences of the attack were significant. UHS reportedly had to spend millions of dollars to address the breach, recover its systems, and notify affected individuals. Additionally, the reputation of the organization suffered, which could affect patient trust and future patient visits. The recovery process took around 3 weeks. The disruption naturally had a major impact financially, with the UHS quarterly earnings report for Q4, 2020 showing $42.1 million in losses, which equated to 49 cents per diluted share. UHS ended the quarter with profits of $308.7 million, up 6.6% from Q4, 2019.
Data Exposure: While UHS did not publicly confirm the exact data exposed, ransomware attacks generally involve the encryption of sensitive patient data, which could include medical histories, personal information, and payment details. The breach also made UHS vulnerable to potential data theft and further exploitation.
3. How the data breach occured:
The UHS cyberattack occurred through a ransomware attack. Ransomware is malicious software that encrypts the victim’s data, making it inaccessible until a ransom is paid. The attack reportedly started when a phishing email was opened by an employee, allowing malware to infiltrate the network. This malware then spread throughout the UHS system, crippling its IT infrastructure.
4. Main Cause of the Data Breach:
The primary cause of the breach appears to be phishing, which is a common entry point for ransomware attacks. Phishing is a type of social engineering attack where attackers trick employees into opening malicious emails or attachments that deploy malware onto the system. Once the malware was in the system, it spread quickly across the network, encrypting files and shutting down operations. Additionally, it can be argued that there may have been weaknesses in UHS’s cybersecurity infrastructure, such as outdated software or insufficient employee training in recognizing phishing attempts. These factors combined allowed the ransomware to successfully infiltrate the system.
5. Preventing data breach
– Develop policies and procedure: Create a scalable and practical incident response plan so the staffs understand their responsibilities and communication protocols both during and after a cyber incident. Teams to include in incident response plan include (but aren’t limited to) IT, legal, and administrative teams. We should also include a list of contacts such as any partners, insurance providers, or vendors that would need to be notified. These plans should be run through a test process or “tabletop exercise” to assess the implementation, identify any gaps, and then refine plans accordingly. It is recommended reviewing the plan on a quarterly basis to account for organizational growth and changes such as end-users/staff or IT assets and infrastructure. We need to provide more comprehensive training to staff on recognizing phishing emails, including how to spot suspicious email attachments and links. This is critical because the majority of ransomware attacks begin with successful phishing campaigns.
– Maintain Backups
Backing up important data is the single most effective way of recovering from a ransomware infection. There are some things to consider, however. Backup files should be appropriately protected and stored offline or out-of-band so they can’t be targeted by attackers. We can use cloud services to help mitigate a ransomware infection, as many of these services retain previous versions of files that allow you to roll back to an unencrypted version. Be sure to routinely test backups for efficacy. In the case of an attack, verify that backups aren’t infected and secure backups immediately following the attack. It is also important to ensure that the integrity of said backups are maintained, and it is also important to confirm before rolling back.
-Keep Systems up to Date
Make sure all of us organization’s operating systems, applications, and software are updated regularly. By applying the latest updates, we’ll make progress in closing security gaps that attackers are looking to exploit. Where possible, turn on auto-updates so we’ll automatically have the latest security patches. In some environments, out-of-date software is necessary to utilize based on operational need. Strongly consider addressing those systems that contain particularly vulnerable software and deprecate/update as soon as possible.