Sikov - stock.adobe.com

UHS Health System Ransomware Attack, Security Probed by Senator

Sen. Mark Warner is asking Universal Health Services (UHS) health system to provide insights into its cybersecurity policies, following a massive ransomware attack and subsequent EHR outage.

Sen. Mark Warner, D-Virginia, sent a letter to Universal Health Services CEO Alan Miller, demanding answers into the health system’s cybersecurity policies in light of the September ransomware attack that drove all 400 UHS sites in the US into EHR downtime procedures for three weeks. 

Warner is one of the strongest cybersecurity proponents in Congress, co-founding and co-chairing the bipartisan Senate Cybersecurity Caucus. 

On September 27, UHS staff from around the country took to Reddit to determine if other sites were experiencing IT troubles. UHS workforce described a massive system outage, with no access to computers, phones, the internet, or data center. Some hospitals diverted ambulances directly after the attack and lab test results were also delayed. 

As it was described, the cyberattack began around 2AM that Sunday morning, shutting down systems in the emergency department and quickly propagating across the network. Hard drives lit up with activity before all computers were shut down, while the antivirus appeared disabled by the attack. Users took screenshots of the event, which appeared to be a Ryuk ransomware attack. 

UHS officials confirmed the attack the following day, calling it an IT disruption and confirming sites were operating under EHR downtime procedures. By October 3, the health system had confirmed all US sites were affected, and the IT team was continuing to work on restoring systems.  

All sites were brought back online by October 12, a full three weeks after the initial attack. In response, Warner is asking whether UHS had “adequate cybersecurity hygiene” in place to better understand the scope and impact of the attack. 

“As one of the nation’s largest medical facility operators with 3.5 million patient visits a year, it is imperative that medical care is provided to all patients without any interruption or disturbance created by inadequate cybersecurity,” Warner wrote. 

“The national health crisis during the COVID-19 pandemic only exacerbates the consequences of insufficient cybersecurity,” he continued. “Clinical providers including UHS must ensure all information, medical, and critical systems are sufficiently protected. Ransomware continues to impact organizations that have not demonstrated sufficient risk management maturity.” 

Warner expressed concern that as UHS added 250 medical facilities across the US in the last 40 years, cybersecurity could potentially be an afterthought to the cost savings of value-based care. And often, hospital systems will spend resources on greater operational efficiencies – but not necessarily information security. 

Further, the number of medical facilities sharing connected devices, systems, and networks drives the need for increased cybersecurity to protect “a significantly larger attack surface.” Without appropriate segmentation, the risk of lateral movement in the event of an attack is heightened. 

“An unmitigated breach in one facility can cripple systems at hundreds of medical facilities, risking patient care throughout a large provider network while healthcare delivery remains strained by a pandemic,” he added. 

In response, Warner asked UHS CEO Miller to outline the health system’s vulnerability management process, in particular its patch management policies across the health IT infrastructure. Miller must also describe how each UHS site and network is isolated from each other to prevent a breach at one facility from proliferating and impacting other sites. 

Warner also wants insights into UHS segmentation measures and third-party risk management policies, as well as the health system’s requirements for cybersecurity and risk assessments and how clinical medical devices are isolated from administrative systems and networks to prevent breaches. 

In addition, Miller must provide the name of the executive tasked with oversight of UHS information security and to whom they report. 

Lastly, Warner asked whether the ransom demand was paid, or if UHS intends to pay the hackers, as well as if any patient records, healthcare information, or other HIPAA-related data was affected or suffered a denial of access during the ransomware attack and if that data, or any UHS information, was exfiltrated during the attack without authorization. 

“Patients deserve to know that healthcare systems are secure, particularly as the nation faces a pandemic straining resources nationwide,” Warner wrote. “When a cybersecurity failure occurs, patients need reassurance that their healthcare provider is committed to learning from and responding to this truly concerning incident, and that it is taking all appropriate steps to help ensure it cannot happen again.” 

Miller must provide Warner with responses within the next two weeks.

Next Steps

Dig Deeper on Cybersecurity strategies