University of Vermont Medical Centerโs IT chief revealed Tuesday that it was a ransomware attack that downed the hospitalโs online systems in October.
The attackers left a link in a single folder on a network computer to contact the hackers. It presumably led to a ransom request โ but hospital officials never opened the link to check.
โWe considered it for about five seconds,โ said Doug Gentile, senior VP of network information technology. Ultimately, contacting the hackers or paying a ransom wouldnโt have saved time or effort, Gentile and hospital leaders concluded.
Gentileโs reconstruction provided the first glimpse into the cause of the cyberattack, which crippled Vermontโs largest hospital for weeks. In the nearly two months following the hack, hospital officials have remained tight-lipped about the perpetrators and methods of the attack, citing an ongoing investigation by the Federal Bureau of Investigation.
While other hospitals attributed attacks around the same period to Russian-speaking attackers using Ryuk malware, the UVM Medical Center president and CEO, Steve Leffler, has kept quiet.
โI’m not aware of a ransom request,โ he said last month.
Gentile refused to say who was responsible for the hacks or whether they were associated with foreign groups, citing the ongoing investigation. He also wouldnโt say how the attackers got into the system. The remaining applications will be restored by early January, he said.
When hospital IT staff realized their system had been breached on Oct. 28, they shut down the internet and Epic health records system to prevent further infiltration. The hackers encrypted the information on 1,300 servers, making the information on them impossible to access.
The attack downed the phone system, cut off access to staff emails and medical records, and slowed the hospitalโs ability to provide radiation treatment and run scans.
Within hours, hospital staff conducted a scan of the system and found a folder with a link to a website with instructions to contact the attackers. Ultimately, they never went to the site to get the message, and never had direct communication with the attackers, Gentile said.
If the hospital had paid a ransom, it wouldnโt have helped much; hackers could have unencrypted the data, but the medical center still would have had to clean and restore the computers to be sure the malware was no longer present.
โIt wasn’t going to save us any time,โ Gentile said.
Instead, the hospital brought on Cisco Talos, an IT security company that the medical center keeps on retainer. It also reached out to law enforcement agencies to help with analysis and recovery, including the FBI. Gov. Phil Scott deployed a unit of the Vermont National Guard to help out.
The team wiped the servers clean and rebuilt them, and wiped and reimaged 5,000 laptops and computers.
โFor an organization of our size, that is just a huge undertaking,โ Gentile said.
The shutdown postponed appointments, and led to scheduling mishaps. Some patientsโ chemotherapy and radiation treatments were delayed. For others, it took weeks to find out whether cancer biopsies were malignant. Others went to Northwestern Medical Center in St. Albans or Dartmouth-Hitchcock Medical Center in Lebanon, N.H., for treatment.
In the weeks after the incident, UVM Medical Center furloughed and reassigned more than 300 employees. The attack and subsequent recovery likely cost the hospital about $1.5 million a day in lost revenue and expenses, Leffler said earlier this month.
By now, the hospitalโs IT team has restored about 80% of the applications, including the patient portal and all the electronic medical records system, Gentile said.
There were bright spots, the IT chief noted. Hospital staff noticed the attack early, and it had minimal effect on the affiliate hospitals, including Central Vermont Medical Center in Berlin and Porter Community Hospital in Middlebury. It also didnโt breach any of the medical centerโs applications, Gentile said. Thereโs no evidence that patient or employee data was stolen or leaked.
The hospital will continue to improve its security systems, Gentile said, though he predicted the attacks would only continue.
โIt’s become clear that this really is an arms race,โ he said. โWe’re all going to continually have to update our tools, our approaches, just try and stay ahead of the bad guys in a situation.โ
