Going Offline During a Pandemic: United Health Services Gets Hit with Ransomware

It’s been a rough week for Universal Health Services, one of the largest health networks in the country. The company was hit with a nation-wide cyberattack, bringing down its IT system. Facilities had to reroute ambulances and patients to nearby facilities at the last second, creating a patchwork of care in some of the nation’s most vulnerable areas.

The company oversees more than 400 locations, including 26 acute care hospitals, 328 behavioral health facilities and 42 outpatient facilities across the U.S., Puerto Rico, and the U.K. According to eyewitness reports, computers began failing over the weekend, leaving staff locked out of the system. Ransomware is designed to take IT systems offline, holding this data for ransom. As soon as the administrators pay the requested fee, the hackers will release the data and restore the IT system.

Find how one of the largest medical cyberattacks in history nearly brought down one of the world’s busiest health networks.

Going Back to Pen and Paper

Things quickly took a turn for the worst over the weekend at various United Health Services facilities. Multiple nurses on staff, who wish to remain anonymous considering their employer did not authorize them to speak with the media, said the outages came out of nowhere. Almost immediately, staff had to start recording patient information with pen and paper.

One nurse working in North Dakota said that all the computers slowed to a stop on Sunday morning to the point where they wouldn’t even turn on. Another provider from Arizona said that the computer seemed to turn off on its own.

For the Arizona facility, all medication information is stored online. The nurse said the system automatically backs itself up at the end of the day, but providers didn’t have access to this information. “We had those up to date as of the 26th,” the nurse said. “Now we had to hand-label every medication. It’s all improv.”

While many facilities went quiet during the crisis, nurses from other United Health Services facilities started sharing their experiences online via Reddit. One nurse wrote, it was “a hot mess in the ER today.” Ambulances with heart patients were being diverted because the facility’s catheterization lab was down. Amid the attack, computer screens started filling up with messages about the “shadow universe.”

Another nurse in California posted, “Our ER is closed to ambulances and OR’s are closed and all ambulances and surgeries are being rerouted.” Staff members were quickly told to leave the computers offline and that they wouldn’t be coming back online for several days.

Representatives from the company said that personal information from patients or employees doesn’t seem to have been copied or misused. In an official statement, they wrote, “We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively.”

A Troubling Pattern

Hackers tend to focus their efforts on healthcare facilities for several reasons. For one, they tend to own large swaths of personal information. Time is also of the essence in the healthcare industry, so companies may be more willing to pay the ransom if it means getting back online as fast as possible, especially when peoples’ lives are at stake.

A 2018 Verizon Data Breach Report shows that ransomware is now the most used type of malware. 2016 was one of the worst years for cyberattacks among healthcare providers as they were the victims of 88% of ransomware attacks.

At the start of the coronavirus pandemic, ransomware operators said they wouldn’t target health systems during the crisis. These groups often disguise their identities, and many of them have been linked to foreign adversaries. The attack on United Health Services is believed to have been conducted by Ryuk ransomware, which is connected to a Russian group of cybercriminals. Ryuk was one of the few ransomware operators that refused to spare healthcare facilities during the pandemic.

Speaking out on the recent hack, lia Sotnikov, vice president of product management for IT security firm Netwrix, said, “It is sad to see that despite hackers’ claims to stop healthcare cyber-attacks during COVID-19 crisis, such attacks still take place.”

We could see more of these attacks in the months ahead, even though ransomware operators promised to spare healthcare facilities during the pandemic. Clearly, Ryuk doesn’t play by these rules. Even a minor disruption to IT systems can be disastrous for patients.

Kenneth White, a computer security engineer that specializes in working with hospitals, says, “When nurses and physicians can’t access labs, radiology or cardiology reports, that can dramatically slow down treatment, and in extreme cases, force re-routing for critical care to other treatment centers. When these systems go down, there is the very real possibility that people can die.”

Hackers tend to target hospitals on the weekends when there aren’t as many IT professionals around. Keep your eyes peeled for suspicious emails and messages, so your facility doesn’t become the next victim of a cyberattack.