top of page

Cyber Experts Weigh-In: Universal Health Services Hospital System Ransomware Attack

Updated: Nov 16, 2022

On Monday, the cyber community saw what some have deemed the largest ransomware attack in history. NBC first reported: "Computer systems for Universal Health Services, which has more than 400 locations, primarily in the U.S., began to fail over the weekend, and some hospitals have had to resort to filing patient information with pen and paper, according to multiple people familiar with the situation."

Ransomware has been rapidly on the rise for sometime now. According to Trustwave's 2020 GSR, ransomware overtook payment card data in breach incidents for the first time this past year when comparing types of information most targeted by cybercriminals. And according to Microsoft, ransomware is the most common reason behind its incident response engagements from October 2019 through July 2020. Microsoft says, "The Department of Homeland Security, FBI and others have warned us all about ransomware, especially its potential use to disrupt the 2020 elections."

With this week's attack, and the recent death at a German hospital linked to ransomware, we wanted to hear what cyber experts had to say about the growing, and now deadly, threat of ransomware and lessons we can learn from UHS' recent attack.

Matthew Gardiner, cybersecurity strategist, Mimecast

“Despite data showing that the healthcare industry has a strong, dedicated cybersecurity approach in place – from awareness training to internal email protection – it continues to be a main point of attack for cybercriminals. In fact, 90% of healthcare organizations were hit by email borne attacks in the past year, with nearly three quarters (72%) experiencing downtime as a result of an attack. The industry should not be naïve to think that cybercriminals would overlook it simply because of the current pandemic. On the contrary, cybercriminals know that the industry is spread thin, widening its vulnerability surface. As such, targeting healthcare organizations like Universal Health Services with ransomware has a high potential return for malicious actors, putting operations, including patient care, and sensitive patient data at risk. 

With this in mind, healthcare organizations cannot be reliant on IT security controls of the past. Security and resilience systems cannot just be “good,” they need to be top-notch. Healthcare organizations should be protecting themselves within, at, inside and beyond the perimeter with email security and threat protection. They should have a comprehensive backup and recovery plan and business continuity options in place to ensure that their data is protected and recoverable should a system go down. They should provide consistent training to their employees to be aware of and prepared to thwart a potential attack. Healthcare organizations are not immune to ransomware and must have plans in place in the inevitable situation that they are targeted.”

Tim Bandos, Vice President of Cybersecurity, Digital Guardian

“Even during a pandemic, ransomware distributors continue to take advantage of the healthcare industry while medical professionals are continuously working hard to slow down the contagion and save lives. Cybercriminal gangs only care about one thing: to profit even at the greatest expense of all.

Some ransomware developers have signaled to the industry that they would not target healthcare facilities to show some sign of empathy; however, these statements are clearly non-binding and will continue. These actions should only further enforce the requirement for all businesses running computing technology that supports health services to implement controls and technology that actually work to prevent the spread of ransomware or any other form of cyber-attack that disrupts operations.

The Ryuk ransomware, which is believed to be associated with the UHS attack, is commonly delivered via email from phishing links or attachments. There are a myriad of controls that could stop this from email filtering, end-user security awareness, patching devices, endpoint protection platforms, to anti-virus. Hospitals need to fund cybersecurity programs more appropriately with a focus on gaining the right level of visibility across the environment and providing regular training to staff given the amount of responsibility they have on keeping patients safe. Not to mention protecting sensitive data and PII which inevitably becomes a primary target in soliciting payment.”

Ray Canzanese, Threat Research Director at Netskope

"The Ryuk ransomware used in this attack has recently been spread using Emotet. Emotet uses cleverly crafted bait emails and cloud apps to deliver highly obfuscated Office documents that evade traditional AV. When the victim opens the Office document, it typically uses VBA scripts, WMI, and PowerShell to download the payloads, which have included the Ryuk ransomware. Enterprise security software can go a long way toward preventing ransomware infections like this. Multi-layered defenses that scan both traffic on the network and files on the endpoint can help ensure that Emotet or some other Trojan never gets opened by one of your users. The scanners themselves should also include multi-layered defenses, including signature-based and ML-based AV, static file analysis, and dynamic sandbox execution to ensure that even zero-day, highly obfuscated samples are detected. Such defenses can also help prevent exploitation of known vulnerabilities. However, the best defense against known vulnerabilities is patching. For example, the recent Zerologin vulnerability CVE-2020-1472 is already being exploited in the wild."

Recovering from ransomware attacks generally requires isolating and re-imaging infected machines. The isolation phase can be very disrupting as entire segments of the network containing infected machines might be taken offline as a precaution. Once the attack is isolated, the recovery begins. This typically requires a labor-intensive process of re-imaging infected machines and restoring data from backups. Depending on the availability of spare hardware, capacity to re-image infected machines, and the availability of backups, this can be a lengthy process.

Organizations need to constantly question if their security practices are optimal. I always gauge preparedness with the following questions: 'Is your organization prepared to defend itself against ransomware attacks, and is it prepared to respond to a ransomware attack if it happens?' For defense, take a look at your patching strategy. 'Is it working? Does it have any gaps?' Also, take a look at your security controls. 'Are they robust enough to detect zero-day samples? Are there any blind spots on your network?' For response, take a look at your network and security operations teams. 'Do you have the appropriate visibility and alerting in place? Can you effectively isolate affected systems from the rest of your network? Do you have backups and processes in place for a speedy recovery?'"

Taylor Lehmann, Partner, SideChannel Security and former CISO at athenahealth

"In the US, health care organizations are required (by HIPAA) to have contingency plans in place in the event operations of the hospitals are disrupted so that they may continue providing care. When ransomware attacks (or any other disruption occurs for that matter) occur at hospitals who have strong contingency plans that they practice regularly, these organizations have a better chance to continue providing care and restoring operations.

I am unclear on what German's health systems mandate are on this matter, but it seems very odd that a ransomware attack on a computer system of the type discussed could deny care to a human being. Physicians are trained to treat people in emergency scenarios and often provide care without needing a computer at all. Emergency ambulances call ahead to check capacity of a given health facility before attempting to deliver a patient there. Certainly, other controls failed - in addition to the those that should have stopped the ransomware or restored computer operations - which led to this. It's very sad.

It's peculiar why the German health system shut its emergency room down - its clear they weren't ready for a ransomware attack, but it's also clear they weren't ready for any real type of contingency of any type.  One doesn't simply shut down an ER - ramifications of this decision include this result.