Vermont hospital cyber attack “Clinics were filled with tears, yelling and anxiety and stress”.
You probably heard about the ransomware attacks seizing up the operations of hospitals and attacking hundreds of others around the country that occurred during the pandemic.
"We are experiencing the most significant cybersecurity threat we've ever seen in the United States," Charles Carmakal, Mandiant's senior vice president and chief technology officer told CNN.
Cybersecurity experts are saying that the healthcare cyberattack is most probably the work of Russian state actors. One hospital is reporting losses of $1.5 Million per day. That doesn’t tell the story of the human toll, however. In this article, we dive into a day in the life of the people affected by this attack, even as the hospital they’re associated with surmounts substantial financial losses.
In October 2020, CISA (The US Cybersecurity and Infrastructure Security Agency), the FBI, and the Department of Health and Human Services released a statement that they have “credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers." Sure enough, hospitals in states including New York, Nebraska, Ohio, Missouri, Oregon, Wisconsin, Vermont, and Michigan have all been attacked by some form of ransomware, and their operations catastrophically compromised.
On October 28th, 2020 Chris Krebs, director of the CISA, warned via tweet that healthcare and public health individuals need to have their "shields up! Assume Ryuk is inside the house. Ryuk is a form of ransomware that was first identified in 2018.
The expert consensus is that Russian cybercriminal gangs distributed the Ryuk malware through one of the cybercrime world's largest and most notorious botnets — an aligned army of compromised computers — referred to in cybersecurity circles as Trickbot.
It’s been previously reported that Russian cybercriminal groups often work with the Russian government and many experts believe that groups like this operate with at least the tacit approval of, if not under the direction of, the state. As of this article, it hasn’t been confirmed if this is indeed a sanctioned attack on our healthcare system by a foreign actor, during a pandemic, or simply a chance for Russian-based cybercriminals to smash and grab from our healthcare system.
What we know is that multiple important health systems across the country had their IT systems seized up and were operating as if it were in the 1970s.
The human toll has been devastating.
We spoke with several people close to the situation. They all asked to remain unnamed as they were concerned about releasing information that could be tied to a specific health system that’s been compromised.
“There were days I put my head on my desk and cried.” This person works as an administrator in Gynecological Oncology, scheduling gynecological cancer treatments including imaging, chemotherapy, and surgeries.
“It wasn’t unusual for our systems to go down, sometimes for maybe 10 minutes. We use a system we call Downtime, which gives us access to records so that we can continue working with patients as they come in when the primary system we use goes down. We can’t edit or add to records using Downtime, but we can see what’s going on and manage patient flow. For those few minutes, the system is down, we usually keep paper notes and when the main system is back up, we enter the new information into the system.”
“This time it was different. The system went down and stayed down 10 minutes, then 2 hours, and then longer.”
“We knew this time felt different, and after 2 hours we started getting notifications that the system would be down for far longer than usual. We started to scramble to figure out how we were going to manage things. Our patients are going through a terrible time in their life, and they were showing up and we had no idea where they were in their treatment, we couldn’t schedule the next step."
"In some cases, imaging is used to decide their next step in chemo, so chemo treatments stopped. We couldn’t get COVID test results to confirm that surgeries could happen when they arrived with paperwork to be admitted, and in fact, we didn’t even know what surgery they were scheduled for and with who unless they brought paperwork with them.”
“They distributed notebooks and packs of sticky notes."
“We were in panic mode, just trying to stay afloat. They distributed notebooks and packs of sticky notes. Within a few days, there were piles of notebooks and sticky notes everywhere. We put people on paper waiting lists when they called. When someone called to cancel an appointment, that told us that we actually had an open spot that we could schedule and that we could call someone on the list and fill that spot in. Otherwise, we weren’t able to book any new appointments, we just waited for people to show up and tell us what they were there for or cancel and open a spot."
"The teamwork was amazing really, people who normally do billing literally put on sneakers and ran files from one part of the building to the other. If you imagine people in running shoes replacing the wires that were the computer systems, that’s basically what we did.”
“When people called, we asked them to bring us anything they could, any bottles of prescriptions, notes they had, calendar dates, images we’d given them, anything to help us figure out what to do next. We went from providing 60 chemo infusions a day to 10. Everyone else just had to wait."
“Clinics were filled with tears, yelling and anxiety and stress”.
“I didn’t sleep for 3 weeks. About halfway through, the system came partially back up. We could read but not write into records. People started panic printing everything, assuming it would go back down again. Now in addition to the piles of notebooks and sticky notes everywhere, there are literally piles of printouts feet tall, piled on chairs, along walls, and on top of file cabinets. I put all of my personal things under my desk to open up shelf space for paper.”
“Now we’re sitting in a sea of paper, it’ll take us weeks to catch the systems back up and we hope we can minimize errors as much as we can. We all know that a fair amount of the information that we enter will be inaccurate, so we’re going to be dealing with understandably unhappy patients for possibly a year.”
“I hope that no one in healthcare faces a situation like this ever again.”
We also spoke with a patient whose healthcare had been impacted, to hear the other side of this story.
“I was scheduled for physical therapy for my shoulder. This is a relatively minor thing, but it really made me think about what people with more serious conditions might be going through. When I arrived at my appointment, it was obvious that they had no idea that I was coming, who I was to see, or what I was there for. It was kind of scary, I mean, these people are supposed to be on top of people’s healthcare.”
“After we had a conversation, they thought they knew who I was to see and what the treatment was supposed to be for. When I got to my PT, she wasn’t able to check her notes on how she’d treated me so far, what my range of motion had been and what the next step should be. I kept thinking about people undergoing major surgeries or coming in with emergencies and it was all really quite shocking.”
“We based that session on her memory, she asked me ‘did we do this?’ or ‘did we do that?’ ‘Do you happen to recall what we said we’d do next?’ As frustrated as I was, I actually felt sorry for her, she was clearly distressed and embarrassed."
“When the treatment was done, they weren’t able to schedule my next appointment. They had no idea what my PT’s schedule was or anyone else for that matter. The way that they were handling it, they told me to keep calling back to see if anyone had canceled and suggested if so, to grab that time if I could. I write code for a living, and I was certainly surprised that things weren’t more secure."
“This is all over the local news and lots of people I know have been affected, I’d expect if they haven’t already, that heads are going to roll.”
The third person that we talked with works in a small surgeon’s office and is affiliated with the hospital that had been compromised.
“It started a couple of months ago. I do front office intake, so when a surgeon is done with a patient consult, they come to me to schedule diagnostic imaging like CAT Scans and MRIs as well as surgery like colonoscopies. The first sign that something was wrong was that we couldn’t process COVID tests from the hospitals affected so that our surgeons could operate that day or the next."
"Then we noticed that our wait times were increasing every time we reached out to the hospital to schedule or reschedule a surgery. Our local hospital hadn’t been compromised, but what we were advised was that because the capacity at the large regional hospital had been dramatically cut, they were sending patients to our local hospital, 30 minutes away, for procedures."
"What was typically a short phone call became from 10 - 30 minutes. Of course, that meant that the number of patients that we could process dropped by a lot. Now a problem that was at the large regional hospital all of a sudden was affecting our patients. Some of our patients are already under extreme emotional distress because of their circumstances, and this only made things worse.”
“For surgeries, our surgeons want to see the problem med list, which for patients that were passed to our system, was unavailable because these came from the regional hospital that had pushed these patients our way. Those same patients would normally have gone to diagnostic imaging in the regional hospital close to them, but now they travel all the way to our hospital and back. For a routine procedure like a colonoscopy, this is a convenience, but when you’re dealing with a significant health issue, this just creates massive stress all around.”
“People, for the most part, were understanding, some were frustrated because we couldn’t get back to them but they realized it wasn’t our fault because it was all over the local news and Facebook. Toward the end, all of this understanding was turning into frustration. We were pretty excited to finally be able to get emails for things and start to catch things back up, which is pretty amazing when you think about it.”
The impact of this healthcare cyber attack will be felt far into the future.
Businesses, and hospitals are businesses, don’t lose $1.5M per day without heads rolling. The two people that we spoke with that are close to the system had heard that some top people had been fired, but we were not able to confirm that. We also don’t know if in the end they paid the ransom or were able to overcome the methods used to lock systems up.
It’s a sad fact that most experts in the US believe that the cost of ransomware attacks are woefully under-reported, because many businesses simply pay up, rather than have it known that they couldn’t get access to their own data, or that their customer’s data was compromised. It’s a good bet that the statistics that we use to try and convey the risks of computer compromise, as scary as they already are to us as IT professionals, are actually much worse than we are able to document.
Money aside, the human toll here is tragic. It was clear in talking to these people that there was emotional scarring that happened. For the workers, an already pretty intense job became just unbearable. They spoke of their lack of trust in their systems and the fear that at any given moment, they’ll be back in this terrible place. Many are still keeping a paper trail, which of course is inefficient and so the patient processing capacity of these systems will remain slower for quite some time.
Even more, well, sad and tragic, is the impact on patients. For some, this represented an inconvenience and a diminishment of their trust in their local regional hospital. The hospital’s brand has been damaged for quite some time. Our hearts go out to those patients who were already dealing with extraordinarily difficult news, trying to deal with the worst news possible, and then having this thrown on top of it. We can only imagine the stress and heartbreak that this caused.
This is real, and it’s baked into our near and long-term future.
Is it time to Panic? No… not if you are prepared. Statistically, you will be breached no matter what you do.
The right questions to ask are:
-
Are you prepared?
-
Do you have a plan for when it does happen?
-
How can you mitigate the operations impact?
-
How can you reduce your technology risk?
-
How can you reduce your business liability?
I’ve seen both the responses of organizations that were prepared and had a plan vs those that didn’t and it’s vastly different. This preparation isn’t a matter of putting a checklist together and now you’re done… it's about building the cybersecurity journey and culture into your company's DNA. Make it a part of regular conversation and business planning.
If you're going to be breached, why go through all the effort, time, and money?
Should I just accept the fact this is the way it is? NO!
Why prepare and plan for when it does happen?
-
Reduce your risk and mitigate the operational impact.
-
Protect your business and reduce financial and legal liability.
-
The bottom line is it’s a lot less stressful when you are prepared.
Some vulnerabilities are technical, and staying on top of current threats as new information comes in can be the difference between your company being attacked or not. Some vulnerabilities are human and effective in building policies, processes, and the human firewall to help plug these holes before your systems are locked down and unavailable like these poor souls above.
We encourage you to take advantage of our security assessment. Let’s get you on track and we can guide you on your cybersecurity journey.
Teknologize is a SOC 2 certified, Professional Technology Services company with clients throughout the Pacific Northwest. We have offices located in:
- Tri-Cities, Washington 509.396.6640
- Yakima, Washington 509.396.6640
- Bend, Oregon 541.848.6072
Questions about your IT or Cybersecurity? Give us a call today!
