On Monday, September 28, 2020, Universal Health Services (UHS), a Fortune 500 company that provides medical services throughout the United States and the United Kingdom to millions of patients every year, informed the public at 10:45 a.m. via an online statement that it had suffered a computer systems failure in the U.S. over the weekend. Although the company initially claimed that it was an “IT security issue,” several sources have reported that it is an ongoing ransomware cyberattack that has left UHS employees at hundreds of locations unable to access patient files and other important medical information and equipment.
What Is a Ransomware Attack?
Cybercriminals find a way to access a computer system, and then lock it down to prevent the system administrator and other users from accessing their files. The malicious software, or malware, that they use encrypts everything and sends a message to the victims telling them that they must pay a ransom to the cybercriminals or suffer serious consequences. Most cybercriminals promise that they will return control of locked systems once they’re paid, but they don’t always keep that promise. Sometimes they release some or all of any private information on these computer systems to the internet. They usually wait until weekends to launch attacks because many companies reduce their staff, including cybersecurity staff, on weekends.Read More »
UHS Public Response
In the original online statement, Universal Health Services acknowledged that the network had been taken offline and that they were trying to resolve the problem “as quickly as possible.” The company explained that employees were making hard copies of patient information offline. It also claimed that patient and employee data had been safeguarded, and UHS employees were continuing to deliver safe and effective care to patients.
On Tuesday, September 29 at 7 a.m. ET, UHS issued more details in a press release. It stated that the company experienced a “technology security incident in the early morning hours of September 27, 2020,” and immediately “suspended user access” to operations IT applications and initiated “extensive information technology security protocols” as response measures.
Initial First-Hand Accounts
The story on the ground doesn’t seem to match the UHS claims. Nurses in Arizona and South Dakota who work for the company explained the initial moments of the attack to NBC. They stated that their computers lagged and then turned off on their own. Most of the systems hadn’t been backed up since Friday night.
People claiming to be UHS employees stated on Reddit that ransomware initially shut down antivirus programs and then the computers. Systems would repeatedly shut down any time someone tried to turn them back on. Bleeping Computer also spoke with UHS employees who described the attack. The properties of the ransomware seem to match that of the Ryuk virus that has been linked to Russian cybercriminals. Some witnesses state that they saw the .ryk file extension and the “Shadow of the Universe” screen message associated with it before their computers shut down.
Life and Death Scenarios Play Out
Health system cyberattacks have been of heightened concern to cybersecurity experts and others in recent years because these attacks can literally kill people. As proven by this attack, modern hospitals are extremely reliant on computers. As computer security engineer Kenneth White explained to NBC: “When nurses and physicians can’t access labs, radiology or cardiology reports, that can dramatically slow down treatment, and in extreme cases, force re-routing for critical care to other treatment centers.”
In May 2020, the largest private operator of hospitals in Europe, Fresenius, suffered a massive attack that involved Snake ransomware. The attack came roughly a month after Interpol announced that hospital and medical services facilities involved with responding to the SARS-CoV-2 virus and COVID-19 pandemic were experiencing more ransomware-style attacks. At the time, Interpol Secretary General Jürgen Stock stated that “ruthless cybercriminals who are looking to make a profit at the expense of sick patients.” German police are currently investigating the death of a woman who died in relation to a recent hospital cyberattack that forced her transfer to a different hospital. They’re referring to her death as a homicide. Some experts are now referring to hospital cyberattacks as acts of cyberterrorism.
The Associated Press spoke with employees of Universal Healthcare Services in D.C. and Texas who claimed that the computer shutdowns created immediate chaos and disrupted critical emergency room and coronavirus services. Employees had difficulty using devices that they rely upon to monitor patients because they had to switch from wireless to hard line Ethernet connections. Diagnostic test results became mostly inaccessible and many facilities have experienced phone problems. Emergency room wait times have been extended at some sites to up to six hours from their previous 45-minute standard time frames. Some facilities have had to re-route patients in need of critical care to non-UHS sites. Sources in California and Florida informed Tech Crunch that staff were told that the computers might remain offline for days. Many of the more than 90,000 employees have been forced to work with little more than pen and paper. Nurses and physicians are hand-writing medication labels at some sites.
The U.S. economy has been battered by the pandemic and responses to it at every level. Healthcare is a massive part of the economy. When healthcare facilities suffer from a ransomware or other cyberattack, all businesses and organizations who receive revenues related to those facilities endure greater chaos and stresses. Beyond the millions that the attacked healthcare system loses, associated businesses and organizations suffer in two ways: Their cost to do business increases as they try to work around the disruptions, and they suffer severe revenue losses:
An attack on a healthcare services company can disrupt on-site cafeteria and gift shop transactions, health insurance-related payouts and on-site and off-site pharmacy and assistive device orders. Private physicians affiliated with these facilities see a decrease in patients at their locations since they can’t request patient records or time appointment schedules since the information that they need is locked away in non-working computers. If the cybercriminals gain access to third-party cloud server logins and passwords, doctors and others who remote-access files via the cloud are suddenly cut off.
As traffic to affected facilities decreases or shifts to other hospitals, nearby restaurants and retailers suffer a loss of revenues as fewer hospital staff, patients and others visit their locations. Even construction companies and non-profit organizations who work with these hospitals can experience losses because they might be unable to retrieve information needed to continue with their projects.
The amount of human loss and economic fallout from this attack is not yet known. This is an ongoing news story.