US hospital chain Universal Health Services, Inc. (UHS) has been forced to suspended user access to its IT applications after a cyber attack struck its systems on Sunday morning.
UHS is among the largest providers of hospital and healthcare services in the US, featuring among Fortune 500 companies in 2019 with annual revenue of $11.4 billion and also ranking #330 in Forbes list of U.S.' Largest Public Companies.
The company employs around 90,000 people across 26 acute care hospitals, 330 behavioral health facilities, 41 outpatient facilities, and a number of ambulatory care access points and a network of physicians. Aside from the US, US also operates in Puerto Rico and the United Kingdom.
On Monday morning, UHS uploaded a short statement on its website, stating that its IT network across all facilities was offline due to an IT security issue.
"We implement extensive IT security protocols and are working diligently with our IT security partners to restore IT operations as quickly as possible. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively. No patient or employee data appears to have been accessed, copied or misused," the statement read.
Earlier today, the company released a much more detailed report, stating that due to the IT security issue that took place on Sunday morning, it had to suspend user access to its IT applications related to operations located in the United States. It, however, did not disclose the kind of cyber attack it suffered or whether hackers had demanded a ransom.
"The Company has implemented extensive information technology security protocols and is working diligently with its security partners to restore its information technology operations as quickly as possible.
"In the meantime, while this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioural health facilities are utilising their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively," UHS said.
According to Chris Hauk, Consumer privacy champion at Pixel Privacy, UHS suffered a ransomware attack on Sunday morning and the ransomware used in this attack is reportedly Ryuk ransomware, which used phishing emails to infect UHS systems.
"This attack underscores the need for companies to spend the relatively small amount of money needed to provide education for employees and executives to teach them how to avoid infecting their systems by opening attachments or clicking links in emails and text messages," he added.
Niamh Muldoon, Senior Director of Trust and Security at OneLogin, termed the ransomware attack on UHS "a terrifying déjà-vu of the 2017 WannaCry outbreak", stating that it is terrible that cybercriminals would go after healthcare institutions especially in such a time as this and we can only hope that the affected hospitals are able to swiftly adjust their operations to ensure that patients receive the care they need on time.
Terming the ransomware attack as an absolute tragedy, Jamie Akhtar, CEO and co-founder of CyberSmart, said the healthcare industry continues to be an enormous target for cyber criminals since COVID lockdowns began and this large-scale breach really demonstrates the real-world consequences of cyber attacks for healthcare.
"Attacks in healthcare don't just mean loss of money, reputation, or data. They can mean lost lives. Many of these breaches could be prevented through basic cyber hygiene covered in the government-backed Cyber Essentials scheme. This includes maintaining strong password protection, up-to-date software and firewalls, and anti-malware," he added.
"The only way for organisations to protect themselves from these potentially catastrophic outcomes is to adopt a culture of security, starting with understanding and support from executive management. If there is no buy in or budget provided from leadership, not even the most talented security engineers or best of breed products stand a chance against modern ransomware gangs," says Chris Clements, VP of Solutions Architecture, Cerberus Sentinel.
"You need a holistic approach that starts with understanding and implementing information security best practices from personnel training to technical configurations. Just as important is regular penetration testing as well as 24/7 security monitoring and threat hunting capabilities to ensure that no security gaps exist and initial alerts of potential compromise are caught and shut down before significant damage occurs."