On Thursday, a patient arrived at Copley Hospital in Morrisville with a heart attack. Any other time, he would have been quickly transferred to UVM Medical Center’s cardiology catheterization lab, where cardiologists have the tools to put in a stent or treat blockages in the arteries, said director of emergency services Michael Brigatti.
But after a cyberattack shut down the online systems at UVM Medical Center, the patient stayed at Copley.
Dr. Stephen Leffler, head of the state’s largest hospital, said Friday it will likely be days before computer systems shut down by a cyberattack will be back up. The outage has left hospitals and patients around the state scrambling to find ways around the services they depend on at the medical center.
“It’s caused a lot of stress for a lot of small hospitals,” said Joe Woodin, CEO at Copley Hospital. His 25-bed facility typically transfers about 25 emergency patients a week to UVM. All those transfers were halted as a result of the hack. The patient who experienced the heart attack was doing fine, Brigatti said.
The attack delayed Covid-19 test results by 24 hours at Northeastern Vermont Regional Hospital, said CEO Shawn Tester. Gifford Medical Center stopped most testing on Thursday, before finding another lab to run the tests, according to spokesperson Ashley Lincoln.
The outage caused by the attack, which was first identified Wednesday, shut down the UVM Medical Center’s electronic health records system, limited appointments, and slowed capabilities for Covid-19 testing. On Thursday, the FBI started investigating the cyberattack.
At a press conference, Leffler said he didn’t know whether the disruption was caused by ransomware, as has been the case at more than two dozen hospitals across the country. Russian cybercriminals have deployed a type of malware that infects computers and locks up systems until the victims pay a ransom, according to a Wall Street Journal story about how hackers have hit hospitals in recent days.
FBI spokesperson Sarah Ruane did not respond to a request for comment Friday.
UVM Medical Center is now using paper records and performed only half of the operations and procedures regularly planned for Friday, Leffler said. Instead of 40 to 60 surgeries, between 25 and 30 were performed. All operations that were considered critical were done; others were rescheduled, he said.
The system shutdown is affecting UVMMC the most, but the other five hospitals in the UVM Health Network have also been impacted, Leffler said.
Leffler said the computer team was making progress restoring the network, but staff had been told to plan on continuing to use paper records through at least early next week. He said he expected it would be days, not weeks, before service was restored.
The hospital chief said he was unaware of any ransom demand.
“I am unaware of any requests for ransom. But I may not be involved in that,” Leffler said.
He also said he wasn’t aware of whether the cyberattack on UVM’s network used the same methods as other cyberattacks nationally.
“Our national investigative team and local [officials] asked us to not comment on exactly what happened and I’m also not an IT guy so I’m the wrong person to tell you, I’m not sure if it’s the same or not,” Leffler said.
Jonathan Rajewski, a Burlington area vice president at the national cybersecurity firm Stroz Friedberg, said in an interview Thursday that he had been fielding a flood of calls from affected hospitals, as well as facilities trying to protect themselves.
The recent attacks had previously been random, but had recently targeted the health care sector.
Now, “they aren’t handpicking different targets,” Rajewski said. “We were like, ‘whew. That’s just evil. Why would you target critical infrastructure during a pandemic?’”
Leffler said the quality of care has not been compromised but that efficiency has been impacted. He said the transition from electronic records to paper was “seamless” and praised the staff for their response and work through the crisis.
“They are trained for this and are handling it amazingly well,” he said.
In addition to putting off some procedures, the hospital is not taking transfers from other hospital emergency rooms, which Leffler estimated at 3,000 annually.
Outpatient radiology sites are closed, and breast imaging appointments are canceled, according to spokesperson Neal Goswami. The hospital has not been able to notify some patients due to the system outages.
The results of some Covid tests may be delayed, Leffler said, but he said officials believed no information in the system had been lost, and test results will be retrieved when the system is back up.
In the wake of the attack, other hospitals across the state have quickly tried to shore up their IT systems.
Tester, at the St. Johnsbury hospital, said he had been meeting with his staff to increase security, especially for the email system.
Woodin, the Copley CEO, said he and the IT staff have made sure the hospital is running automatic back-ups of patient information every night. Copley also backs up information on a tape that’s not connected to online systems.
“This has nothing to do with performance, intelligence, lack of investments,” Woodin said of the medical center’s preparation for the cyberattacks. “To be done to America, dozens of hospitals, during a pandemic, it’s extraordinarily discouraging.”
