Late in the morning of October 28, staff at the University of Vermont Medical Center noticed that the hospital’s phone system was not working.
Then the Internet went down, and the technical infrastructure of the Burlington-based center with it. Employees have lost access to databases, digital medical records, scheduling systems and other online tools they rely on for patient care.
Administrators have struggled to keep the hospital operational – canceling non-urgent appointments, reverting to paper-and-paper record keeping and redirecting some intensive care patients to nearby hospitals.
In its main lab, which performs around 8,000 tests a day, employees printed or wrote down the results by hand and passed them on to specialists across the facility. Obsolete and Internet-less technologies have experienced a revival.
“We went around and got all the fax machines we could,” said Al Gobeille, director of operations at UVM Medical Center.
The Vermont hospital had fallen prey to a cyberattack, becoming one of the most recent and visible examples of wave of digital assaults grabbing U.S. healthcare providers hostage as cases of COVID-19 pour in across the country.
On the same day as the UVM attack, the FBI and two federal agencieswarnedcybercriminals were stepping up their efforts to steal data and interrupt services in the healthcare industry.
Through target suppliers with attacks that scramble and block data until victims pay a ransom, hackers can demand thousands or millions of dollars and wreak havoc until paid.
In September, for example, a ransomware attackparalyzeda chain of more than 250 American hospitals and clinics. The resulting outages delayed emergency room care and required staff to restore critical heart rate, blood pressure and oxygen level monitors with Ethernet cabling.
A few weeks earlier, in Germany, the death of a woman became the first death initially attributed to a ransomware attack, although the link was later refuted. Earlier in October, facilities in Oregon, New York, Michigan, Wisconsin and California also fell prey to suspected ransomware attacks.
Ransomware is also partly responsible for some of the 700 or so private health informationviolations, affecting approximately 46.6 million people and currently under investigation by the federal government. In the hands of a criminal, a single patient record – rich in details about a person’s finances, insurance, and medical history – can sell for up to $ 1,000 on the black market, experts say.
During 2020, many hospitals have postponed technology upgrades or cybersecurity training that would help protect them from the latest wave of attacks, said Nick Culbertson, healthcare security consultant.
“The amount of chaos that has just built up here is a real threat,” he said.
With COVID-19 infections and hospitalizations on the rise across the country, experts say healthcare providers are dangerously vulnerable to attacks on their ability to function effectively and manage limited resources.
Even a small technical disruption can quickly spill over to patient care when a center’s capacity is depleted, said Eric Johnson of Vanderbilt University, whostudiesthe effects of cyberattacks on health.
“November has been a month of increasing demands on hospitals,” he said. “There is no room for error. From a hacker’s point of view, that’s perfect. “
A “ call to arms ” for hospitals
The day after the October 28 cyberattack, Joel Bedard, 53, of Jericho, arrived for a scheduled appointment at Burlington Hospital.
He was able to come in, he said, because his fluid drainage treatment isn’t high-tech, and it’s something he receives regularly while waiting for a liver transplant.
“I did it, they took care of me, but man, everything is down,” said Bedard. He said he had not seen any other patients that day. Much of the medical staff remained inactive, doing crossword puzzles and explaining that they were forced to document everything by hand.
“All the students and interns are like, ‘How did it work back then? “, He said.
Since the attack, the Burlington-based hospital network has referred all questions regarding its technical details to the FBI, which has refused to release any further information, citing an ongoing criminal investigation. Officials do not believe that a patient suffered immediate harm or that the patient’s personal information was compromised.
But more than a month later, the hospital is still recovering.
Some employees have been placed on leave until they can resume their normal duties.
Oncologists could not access scans of older patients, which could help them, for example, compare the size of the tumor over time.
And, until recently, emergency room clinicians could take x-rays of fractured bones but could not electronically send the images to radiologists at other sites in the healthcare network.
“We didn’t even have the Internet,” said Dr. Kristen DeStigter, director of the radiology department at UVM Medical Center.
Soldiers from the State National Guard’s cyber unit helped hospital IT professionals scan the programming code of hundreds of computers and other devices, line by line, to clear any remaining malicious code that could re-infect the system. system. Many have been brought back online, but others have been completely replaced.
Colonel Christopher Evans said this was the first time the unit, founded about 20 years ago, has been called upon to accomplish what the guard calls a “real world” mission. “We’ve been training for this day for a very long time,” he said.
It could be several weeks before all the associated damage is repaired and the systems are functioning normally again, Gobeille said.
“I don’t want to spark people’s hope and be wrong,” he said. “Our people are working 24 hours a day, 7 days a week. They are getting closer and closer every day. “
It will be difficult for other healthcare providers to protect themselves against the growing threat of cyber attacks if they haven’t already, said data security expert Larry Ponemon.
“It’s not like hospital systems have to do something new,” he says. “They just need to do what they should be doing anyway.”
Current Industry Reportsindicatehealthcare systems spend only 4-7% of their IT budget on cybersecurity, while other sectors like banking or insurance spend three times as much.
Research by consulting firm Ponemon shows that only about 15% of healthcare organizations have adopted the technology, training and procedures necessary to manage and thwart the flow of cyber attacks that they regularly face.
“The others fly with their heads down. This number is unacceptable, ”Ponemon said. “It’s a pitiful rate.”
And that partly explains why cybercriminals have focused their attention on healthcare organizations – especially now, as hospitals across the country face a surge in COVID-19 patients, he said. declared.
“We are seeing real clinical impact,” said Dan L. Dodson, cybersecurity consultant for healthcare. “It’s a call to arms.”
More to read absolutely technological coverage of Fortune:
- Robinhood’s Next Adventure: Stealing market share from the rich
- Why the power to change the founder’s double standard based on VC
- Quantum computing is enter a new dimension
- How Chinese phonemaker Xiaomi conquered India—And surpassed Apple
- Google ethics researcher leaves renews its concerns, the company silences whistleblowers