Universal Health Services' IT Network CrippledApparent Ransomware Attack Has National Impact
UPDATE: Tuesday, Universal Health Services issued an updated statement and also filed a form 8-K with the Securities and Exchange Commission about the incident. It notes that the company "suspended user access to its information technology applications related to operations located in the United States. The company has implemented extensive information technology security protocols and is working diligently with its security partners to restore its information technology operations as quickly as possible. In the meantime, while this matter may result in temporary disruptions to certain aspects of the company's clinical and financial operations, the company's acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively."
In a Monday statement, UHS, a publicly traded company based in King of Prussia, Pennsylvania, says: "The IT network across Universal Health Services facilities is currently offline, due to an IT security issue. We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible."
The statement adds: "In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively. No patient or employee data appears to have been accessed, copied or otherwise compromised."
UHS says it treats 3.5 million patients annually and reported revenue of more than $11 billion in 2019. Its 400 facilities include acute care hospitals, behavioral health and residential treatment facilities and outpatient centers across the U.S., Puerto Rico and the United Kingdom.
A spokeswoman for UHS tells Information Security Media Group that UHS' U.K. facilities are not affected by the incident. She declined further comment beyond the company's statement.
According to a post on Reddit by an individual who claims to work at a UHS facility in the Southeastern U.S., on Sunday at approximately 2 a.m., systems in the facility's emergency department "just began shutting down."
The individual says: "I was sitting at my computer charting when all of this started. It was surreal and definitely seemed to propagate over the network. All machines in my department are Dell Win10 boxes."
Anti-virus programs were disabled by the attack, and hard drives "just lit up with activity," the individual writes. "After one minute or so of this, the computers logged out and shutdown. When you try to power back on the computers they automatically just shut down. We have no access to anything computer based including old labs, EKGs, or radiology studies. We have no access to our PACS radiology system."
Media outlet Bleeping Computer reports that an UHS insider says that during the incident, files were being renamed to include the .ryk extension. This extension is used by the Ryuk ransomware.
Likewise, citing "people familiar with the incident," the Wall Street Journal reports that the attack did indeed involve ransomware.
'Safety Risk to Patients'
Brett Callow, a security threat analyst at Emisoft, tells ISMG that Ryuk is operated by a number of groups.
"However, the original gangsters seemingly took a hiatus in spring after which incidents tailed off considerably. Unfortunately, the original gangsters appear to a back in action with a series of very highly targeted attacks," he says.
"Attacks on healthcare organizations, and especially hospitals, represent a serious risk to patients," he says. For example, a recent ransomware incident at a German hospital allegedly resulted in the death of a patient who needed to be transported to another facility, delaying emergency care (see: Ransomware Attack at Hospital Leads to Patient's Death).
"We firmly believe that the only way stop these [ransomware] attacks - and to keep hospitals safe - is to ban the payment of demands," he says. "Should that not happen, attacks will continue and more deaths are highly likely."
But it is not just the healthcare sector that is seeing an uptick in high profile ransomware incidents, says Ilia Sotnikov, vice president at security vendor Netwrix. "Even outside of healthcare facilities, our daily lives largely depend on the network of connected computers and devices," Sotnikov notes. "In cases of cybercriminal activity, the end game is getting money, but unfortunately there are other attacker types, such as nation states or terrorist groups, that may want to leverage cybersecurity to cause real damage."