The Federal Bureau of Investigation is investigating a cyberattack that caused a shutdown of the University of Vermont Health Network’s online systems.
UVM Medical Center President Steve Leffler said Thursday officials had not identified the source of the attack that had downed the electronic health records system and its patient portal, where patients can access their appointment information and medical history. After learning of the issues on Wednesday afternoon, the staff switched to all paper medical records, Leffler said.
Some appointments Thursday were cancelled, including certain surgeries and elective X-rays, Leffler said. The Burlington hospital has temporarily stopped taking trauma patients transferred from other emergency rooms. The system shutdown will likely delay the result of some Covid tests.
At a press conference, Leffler offered assurance that in spite of the outages, patients can expect to receive the care they need. “It has impacted some things we do, but today we’ve done operations, we’ve taken people through the ER, babies have been born, things have been happening normally through the day,” said Leffler. “The tools we use are a little different today, but we’re able to provide high-quality care.”
The disruption could be connected to a spate of ransomware attacks directed at hospitals around the country, and could shut down some services for several days, according to a Burlington-area cybersecurity expert, Jonathan Rajewski, a vice president at Stroz Friedberg, which is helping to combat similar attacks.
“The scary thing is what [such attacks] could do to a regional hospital like UVM Medical Center,” Rajewski said. “It’s destructive in nature.”
Several of those hacking attempts have been linked to an Eastern European group known as “Wizard Spider” or UNC 1878.
Leffler said he didn’t know whether UVM Medical Center had been hit by malware or ransomware. He couldn’t say what online systems were impacted, whether the hospital had lost data that was backed up, or how long the hospital would continue to use paper medical records.
“We’re prepared if this lasts one more day or a week,” he said.
The FBI and the Vermont Department of Public Safety are continuing to investigate, he said.
FBI spokesperson Sarah Ruane confirmed Thursday afternoon that the bureau was working on the case. She declined to provide further detail on the investigation.
Medical record systems at UVM Health Network’s six hospitals — UVM Medical Center, Central Vermont Medical Center in Berlin, Porter Medical Center in Middlebury, Alice Hyde Medical Center in Malone, N.Y., Champlain Valley Physicians Hospital in Plattsburgh, N.Y., and Elizabethtown (N.Y.) Community Hospital — were all affected to some extent, but Leffler said he didn’t know what services were down. All patients who haven’t been contacted should plan on attending their appointments, he said.
According to Rajewski, similar attacks by the malware known as Ryuk have been increasing in recent months. He said he’s seen ransomware hit businesses and nonprofits of every size and in every sector. Recently, health care organizations have been a target. Since July, hospitals in New York, Nebraska, Ohio, Missouri and Michigan have reported cyberattacks. In recent days, an Oregon hospital and St. Lawrence Health Systems in New York were also hit.
On Wednesday night, federal officials — from the FBI, Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services — warned of an “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.” Health care providers should “take timely and reasonable precautions to protect their networks from these threats.”
The extent and damage from such attacks can vary, said Rajewski.
Attackers typically send out a phishing email and trick the recipient to click on a link or open an attachment, according to Rajewski. Once they have access, the hackers may map the servers, steal passwords to access accounts and information, and delete backup information.
Often, the hacker may be in the system for as long as two weeks before they shut down the system, Rajewski said.
Depending on the size of the hospital and its readiness, it takes four days to a week to fully resume operations, Rajewski said. In some cases, if the backed-up data has been deleted, the hospital may ultimately hire a lawyer and pay the ransom, which can take months.
Leffler said he hadn’t been asked for ransom or been contacted by the perpetrators. He said the hospital had no evidence that any patient information had been stolen or compromised.
“As soon as we knew something was happening yesterday, we shut everything down in the system including all patient information. At this point, we’re still investigating what’s been impacted,” he said.
For now, the hospital is focusing on caring for its patients. “We don’t think it’s going to be over in hours, we’re planning for more days,” Leffler said. But, he said, “we are well prepared to take care of our patients for as long as it takes to bring the system back up safely.
