While the headline “Hospital Network Gets Hit by Cyberattack” isn’t exactly breaking new ground in 2020, it is still surprising that a story about 300 workers getting displaced and chemotherapy patients having their treatment delayed because of a cyberattack is getting glossed over.
And yet that is exactly what has happened in Vermont. That is why we thought it would be helpful to unpack the details of this cyberattack and look at why it has been relatively ignored on a national scale.
Back in October, the University of Vermont Medical Center was the victim of a cyberattack. This attack put almost 300 workers on reassignment or furlough while UVM tried to deal with the fallout. Things were chaotic for a while as UVM’s electronic medical records system and patient information databases both went down, making patient care and appointment scheduling both very difficult. In fact, according to the latest report from the nonprofit investigative journalism platform VTDigger, things are still a little chaotic as officials and staff attempt to restore full functionality to hospitals.
The UVM Health Network operates six hospitals, four in Vermont and two in northern New York. All experienced a “major tech outage” on October 28 that disrupted patient care. For one thing, chemotherapy appointments were delayed, as were other serious procedures. Some elective procedures were also rescheduled because of the attack.
UVM Medical Center officials have not announced many details of the cyberattack. One reason for this is because the FBI asked them not to.
“Federal authorities have directed us not to discuss the details of the attack on our IT systems in order to preserve the integrity of their investigation,” explained UVM Health Network President and CEO John Brumstead in a November 10 statement. “What I can tell you is that this attack was very broad in its reach. That means our response and restoration must be very carefully planned to be sure we can safely and securely restore our systems.”
Since UVM is keeping its lips sealed and waiting for the FBI, it is still unclear whether ransomware or foreign actors were involved or not. As mentioned, the FBI has launched an investigation into the incident but appear to be waiting until its conclusion before releasing any details.
The cybersecurity unit of the National Guard was called into assist the crippled medical center locations. According to VTDigger, ten National Guard members were called up and assigned to work with UVM to “scan and remove malware from all laptops, medical equipment, and other devices hooked up to the network.”
As of November 12, IT staff in conjunction with National Guard members had cleaned and restored 1,000 out of 4,500 computers, though Brumstead admits this does not guarantee a quick or predictable recovery.
“Even with our daily gains, we do not yet have a timeframe for full recovery and restoration,” his November 10 statement reads.
Despite the unsure nature of UVM’s recovery, the medical network has been able to regain access to some of its medical records, meaning that patients’ medical histories, prescriptions, and past appointments through the date of the attack were visible. Obviously, this information is critical to providing care. Steve Leffler, president of UVM Medical Center in Burlington, VT, called the moment access was regained an “unbelievably huge first step” in returning to normal.
However, these recovered records were read-only. This means that new information cannot be entered into the system at this time. For now, UVM hospitals are still getting by with documenting appointments, recording treatment plans, and performing other tasks with pens and paper.
Healthcare Is Being Targeted
If the FBI ultimately finds that ransomware or foreign actors were involved in this attack, it would not come as much of a surprise. Coincidentally, on the same day that UVM was attacked (October 28), the nation’s cybersecurity agency CISA (along with the FBI and the Department of Health and Human Services) issued an alert about the “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
2020 has been an uncommonly bad year for healthcare providers. Not only have they been hit with the massive burden of caring for people with Covid-19, but they’ve been attacked at an unprecedented level. Here are a few surprising statistics about cybersecurity in the healthcare industry:
- Between 2017 and 2021, the number of ransomware attacks against healthcare organizations is expected to quintuple.
- Healthcare email fraud attacks have increased 473% in the last two years.
- Over 93% of health care organizations have suffered a data breach in the last three years
- 57% of healthcare organizations have suffered six or more data breaches in the last three years
- Healthcare organizations are predicted to suffer two to three times more cyberattacks than the average amount for other industries.
*Statistics all collected by Herjavec Group, a global cybersecurity form, in their report “The 2020 Healthcare Cybersecurity Report.”
In fact, part of the reason this attack has gotten buried is because there have just been so many data breaches, ransomware attacks, and other incidents that have happened to healthcare providers in 2020.
Why Is No One Talking About This?
A quick Google search reveals that the UVM Health Network Cyberattack has gotten little to no national coverage. The primary source for this research was the Vermont-based journalism nonprofit VTDigger (which has covered every chapter in this story for weeks).
Other outlets covering this event include Healthcare IT News, Vermont Biz, Sun Community News, WCAX3, Burlington Free Press, HealthITSecurity, and WPTZ-TV. Most of these are local, Burlington, VT-based outlets (or outlets that cover that area), and most of them published articles just on the day the news broke, October 29, and not after. VTDigger was one of if not the only outlet covering the events of this story day after day.
As mentioned, one reason why this attack may not have seen much coverage is because there are just so many like it. The UVM Medical Network attack was just one of many recent assaults against Healthcare providers, many of which have involved ransomware or foreign actors.
On November 13, Microsoft issued a statement about this issue titled, “Cyberattacks Targeting Health Care Must Stop. In it, Corporate VP of Customer Security & Trust Tom Burt acknowledged that nation-state actors from Russia and North Korea have been targeting vaccine researchers and pharmaceutical companies around the world at a relentless pace. Burt also shares a link to Microsoft’s AccountGuard, a threat notification service free for use to health care and human rights organizations working on Covid-19, which so far protects 1.7 million emails across 195 participating organizations.
So it appears that the incident at UVM was largely buried to do an abundance of similar stories. There are just too many stories like theirs for them all to get national attention. Still, it seems unusual that such a large incident affecting thousands didn’t make it too far out of Vermont. The rigorous work of local reporters at places like VTDigger should be commended for their efforts, though. If not for them, we might not have even heard of this story.