Cyberattack on UVM Health Network Impedes Chemotherapy Appointments

cyberattack UVM Health Network

The cyberattack has halted chemotherapy, mammogram and screening appointments, and led to 300 staff being furloughed or reassigned.

The University of Vermont (UVM) health network is scrambling to recover its systems after a cyberattack led to widespread delays in patient appointments – including chemotherapy appointments, as well as mammograms and biopsies.

The UVM Health Network is a six-hospital, home-health and hospice system, which encompasses more than 1,000 physicians, 2,000 nurses and other clinicians in Vermont and northern New York. The cyberattack was first launched the week of Oct. 25, with the UVM Medical Center being hit the hardest, according to local reports. Reports said that the attack came through the hospital’s main computer server, and impacted its entire system.

Since then, the FBI and the Vermont National Guard have been brought in to review thousands of end-user computers and devices, to ensure that they are free of malware. In an update on Saturday, the UVM health network said that it “made significant progress overnight to restore behind-the-scenes components that will aid in the restoration of additional patient-facing systems.”

“Our IT team has now accessed patient schedules for all network hospitals through next weekend,” according to the Saturday update. “This will improve our efficiency and the overall experience for patients as we continue to restore systems from last week’s cyberattack event.”

Threatpost has reached out to FBI spokesperson Sarah Ruane about the attack – including what type of data was accessed, how the attack initially occurred, whether malware or ransomware was utilized and more. This article will be updated accordingly when the spokesperson responds.

“Healthcare systems, hospitals, and pharmaceutical companies have been enduring more focused cyberattacks during the pandemic,” Hank Schless, senior manager of Security Solutions at Lookout, told Threatpost. “Threat actors know that these organizations are under intense pressure to take care of a high volume of patients, and help contribute to discovering a vaccine on top of their usual responsibilities.”

The Impact

While the UVM health network has been vague in regards to what data has been accessed, the scheduling of patient appointments has been impacted, according to reports, affecting important patient screenings and appointments.

Before the attack, 45 to 60 patients were able to get chemotherapy appointments at the UVM Medical Center – however that number went down to 15 patients after the cyberattack, creating a backlog of people who need care.

The hospital network said it has developed plans to ensure patients receive needed cancer treatments for the next several days.

“Patients are receiving treatment and we are urgently working to expand our capacity to provide chemotherapy at UVM Medical Center to seven days per week and three evenings per week,” they said. “Meanwhile, we are also scheduling some patients for treatment at Central Vermont Medical Center, Champlain Valley Physicians Hospital and other facilities when appropriate.”

The UVM health network also said it has been able to recover some appointment schedules for the rest of its network. However, the network said it is unable to accommodate breast imaging on Monday at the UVM Medical Center, including mammograms, breast ultrasound screenings and biopsies.

“Our breast imaging staff have limited access to patient data, and therefore will not be able to inform all patients that their appointments have been cancelled in advance,” according to the data breach update. “We deeply apologize for the inconvenience this will cause patients.”

Hospital staff have also been impacted, according to reports, with the cyberattack leaving some staff members unable to do their normal jobs. Up to 300 employees of the UVM Medical Center hospital have been either re-assigned or furloughed, according to president and COO Stephen Leffler, MD, speaking during a press conference on Friday.

Cybercriminals Targeting Hospitals

Hospitals and the healthcare industry have faced a flurry of cyberattacks over the past few months. In September for instance, a ransomware attack shut down Universal Health Services, a Fortune-500 owner of a nationwide network of hospitals. In October, a slew of hospitals were targeted by ransomware attacks, including Klamath Falls, Ore.-based Sky Lakes Medical Center and New York-based St. Lawrence Health System.

“The healthcare industry will remain a high-level ransomware target, especially as continued testing increases the amount of data or information known about patients or future patients,” Heather Paunet, vice president of product management at Untangle, told Threatpost. “IT departments need to be more aware than ever before about how to protect their network, their employees and their patients.”

Mohit Tiwari, co-founder and CEO at Symmetry Systems, told Threatpost that hospitals are finding themselves in a “very challenging situation” when it comes to security.

“They need to prioritize fighting a number of healthcare-related issues every day as well as having to work with software and hardware that takes years to certify for safety,” said Tiwari. “Unfortunately, this means the compute infrastructure lags behind for both business and technical reasons.”

Dirk Schrader, global vice president at New Net Technologies (NNT), has found in previous research that unprotected, unpatched medical devices connected to the internet (tied in with image archives and electronic medical record systems) shows that the healthcare sector is still an easy target – and most likely will remain one for the foreseeable future.

He said, the sector needs to change its approach away from negligence about cybersecurity towards an integrated, cyber-resilient handling of medical devices incorporated into hospital processes.

“It appears that malware groups have decided it is the end of closed season for hospitals and other healthcare providers,” Schrader told Threatpost. “At the beginning of the pandemic, most pledged to shy away from this group of targets, however, the recent warning issued by CISA, FBI and HHS indicates that this is not expected to be the case any longer.”

Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles

Discussion

  • Arjen Lentz on

    No. It is inadequate security that led to those unfortunate results. The entrenched habit of organisations, particularly in the US, to blame and persecute whomever triggered the issue, rather than dealing with the root cause or taking internal responsibility, is sadly still rife. In the end it's not laws and penalties that prevent these intrusions, it's good security. In many cases, can you even call it an attack - an attack is generally targeted. Most ransomware and other incidents are purely opportunitistic.

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.