The University of Vermont Medical Center’s electronic medical records system is up and running nearly a month after the hospital fell victim to a cyberattack.
Over the weekend, the hospital tech team restored Epic health records system, giving doctors and nurses full access to patient medical history, appointments, and medications, said Al Gobeille, a vice president of operations for the UVM Health Network on Monday.
He called it “a big advancement in our recovery.”
Operations won’t fully return to normal for weeks, but the reboot marks the most significant step toward restoring normalcy after the cyberattack disrupted patient care and delayed appointments. On Oct. 28, the hospital IT staff noticed abnormal activity, and shut down its online operations. The hack downed hospital phone and email networks, eliminated access to patient records and appointments, and halted access for the hospital to pay employees overtime.
A National Guard unit came in to help and the Medical Center’s IT team worked to restore nearly 5,000 computers. Nurses and doctors made a rocky transition to paper records.
Even now, many of the 500 applications that connect to Epic, such as the MyChart patient portal, and radiology and chemotherapy systems, are not yet live, said Gobeille. It will continue to be an “evolutionary process” over several weeks to get back to normal, he said.
The hospital still has to enter the data from the last month of appointments into Epic by hand, Leffler said. He praised the IT team and the staff for their “tremendous hard work” to get the system back online.
Tight-lipped officials
But four weeks after the cyberattack, hospital officials have offered little information about the cause of the attack or its perpetrators. However, several hospitals around the country who were hit at the same time were the victims of ransomware from the Russian group Ryuk.
The same day that UVM Medical Center was hacked, several federal agencies issued a warning about ransomware attacks from groups such as Ryuk and Conti perpetrated against hospitals “for financial gain.”
Leffler and Gobeille have refused to say whether they were targeted by ransomware. They’ve referred questions about any ransom, the impact to the system and who was responsible to the Federal Bureau of Investigation.
“We’ve been asked by the FBI not to discuss the incident,” Gobeille said. FBI spokesperson Sarah Ruane declined again to comment on Monday.
The hospital officials “don’t know of any” patient data breaches “at this time,” said Gobeille. He promised to work with the federal government to verify that information. “If we find any [information was breached], we will notify each person immediately,” he said.
But multiple hospitals attacked in the same time period as UVM have been much more public about their attackers. The St. Lawrence Health System information system went down the day before UVM Medical Center was hit.
IT staff at the hospital in northern New York found out early on it was ransomware, but never received a ransom request, according to spokesperson Pam Koslowski. By last week, the hospital had cleaned 1,800 computers, and restored access to nearly all hospital systems, she said.
Sky Lakes Medical Center in southwestern Oregon received a ransom request on Oct. 27 after an employee mistakenly clicked on an attachment in an email, said spokesperson Tom Hottman.
Instead of paying the cash, the hospital threw out and replaced all of its 2,000 laptops. Hottman said he didn’t know how much ransom the group asked for, but said hospital administrators couldn’t be sure that the system would be secure after they paid the ransom.
As of last week, the Sky Lakes system was mostly back to normal, though the hospital still couldn’t offer all of its radiation and oncology treatment. “We’re limping back,” Hottman said.
Cyber attackers typically either seek a ransom or seek access to patient data, said Jonathan Rajewski, a South Burlington-based cybersecurity expert. In the latter case, they may post the information on the dark web, sell access to another group, or use one data breach to gain even more access.
When hackers leave a ransom note, it’s very obvious — a pop-up or a message on the desktop, he said.
A hospital can be hit regardless of how prepared it is, he said. He compared the risk to that of a burglar in a home — even in well-secured homes, residents can mistakenly leave a window open, Rajewski said. Nor is there one simple way to fix the problem or address it in the future.
“It’s not like there’s a silver bullet or, or one piece of technology you can buy that will just help you all the time,” he said.
Gobeille said the hospital was already making the system more secure, and had already upgraded the email system. But, he warned, even with improvements, they wouldn’t be protected indefinitely.
“This is an arms race between our cyber IT folks and the bad folks,” he said. “We’re doing something now … to rebuild in new and different ways.” But, he added, how long will that last? “We’ll see.”
