Cyber Case Examine: UVM Well being Community Ransomware Assault

0
27
Cyber Case Study: UVM Health Network Ransomware Attack

In October 2020, the College of Vermont (UVM) Well being Community—a six-hospital well being care group that serves over 1 million sufferers all through Vermont and upstate New York—found that its techniques had been compromised by cybercriminals in a ransomware assault. This incident led to main disruptions throughout the group’s infrastructure, shutting down vital know-how and delaying affected person care.

This assault—which in the end stemmed from an worker error—resulted in vital restoration prices and reputational damages for UVM Well being Community, emphasizing the severity of cyber incidents throughout the well being care business. There are numerous cybersecurity classes that organizations can study by reviewing the main points of this incident, its affect and the errors UVM Well being Community made alongside the way in which. Right here’s what your group must know.

The Particulars

At the start of October 2020, a UVM Well being Community worker took their work laptop computer on trip with them. Throughout this trip, the worker used the laptop computer to test their private emails. Certainly one of these emails was from the worker’s native householders affiliation. Though the e-mail appeared reputable, the householders affiliation had lately been hacked by cyber-criminals. Because of this, the e-mail was truly a phishing rip-off. By opening the e-mail, the worker unknowingly allowed cyber-criminals to launch malware on their work laptop computer. When the worker got here again to work and linked their laptop computer to the
UVM Well being Community’s techniques, the cyber- criminals then utilized that malware to focus on the complete group.

On Oct. 28, the cybercriminals formally launched their assault on UVM Well being Community, spreading malware throughout the group’s know-how. That afternoon, the group’s IT division started receiving a number of stories of server points and glitching functions. Upon investigating these stories, the division suspected a cyberattack was going down. Fearing a possible knowledge breach, UVM Well being Community instantly went offline—thus shutting down its pc and telephone techniques—to guard its delicate data. After doing so, the IT division discovered a textual content file from the cybercriminals on one of many group’s gadgets. The file defined that the cyber-criminals had compromised UVM Well being Community’s techniques and encrypted the group’s knowledge. To regain entry to their techniques and knowledge, the cybercriminals urged the group to contact them.

Whereas the textual content file didn’t comprise a particular ransom demand, UVM Well being Community’s IT division was pretty assured that contacting the cybercriminals would solely end in such a requirement—a requirement that the group didn’t wish to fulfill. In any case, there was no assure that the cybercriminals would truly restore the group’s techniques and knowledge after the ransom was paid. Due to this fact, as a substitute of complying with the cybercriminals’ orders, the group contacted the FBI for help. From there, UVM Well being Community labored carefully with the FBI to establish the supply of the assault and resolve the incident. Within the coming weeks, Vermont Gov. Phil Scott additionally deployed the state’s Nationwide Guard to additional help within the matter.

Happily, the group confirmed that no delicate knowledge (e.g., affected person data or worker info) was stolen or uncovered throughout the assault. Moderately, UVM Well being Community’s current cybersecurity measures allowed the group to regain entry to most of its knowledge via safely saved backup copies. Nonetheless, the assault nonetheless largely disrupted the group’s operations for a number of weeks whereas it labored to totally get well its knowledge, take away the malware (in addition to any digital backdoors created by the malware) from all contaminated know-how and rebuild its broken infrastructure. Throughout this time, a whole bunch of workers have been unable to carry out their job obligations because of the pc and telephone techniques remaining shut down. What’s worse, many sufferers confronted delayed take a look at outcomes, skilled appointment cancellations and needed to reschedule elective medical procedures whereas UVM Well being Community recovered from the incident. In complete, it took a number of months for the group to completely restore its infrastructure.

The Affect

UVM Well being Community confronted a variety of penalties from this cyber incident, together with the next:

Restoration Prices and Misplaced Income

The group incurred vital restoration bills on account of the assault. This consists of prices associated to UVM Well being Community rebuilding 1,300 broken servers, restoring 600 disabled functions, scanning and cleansing 5,000 malware-ridden computer systems, and repopulating its general infrastructure with backed-up knowledge. As well as, the group misplaced a substantial quantity of income within the time it took to get well from the incident—totaling almost $1.5 million per day. As an entire, the assault is estimated to have value UVM Well being Community over $63 million. These prices significantly exceeded the group’s current cyber insurance coverage safety, because it was solely insured for $30 million.

Reputational Harm

Aside from restoration bills, the group encountered widespread scrutiny because of the assault. Particularly, UVM Well being Community was criticized for permitting workers to entry their private emails on office gadgets—a flaw that primarily led to the incident. Though the group’s current cybersecurity measures successfully prevented the assault from leading to an information breach, UVM Well being Community was nonetheless scrutinized for its prolonged incident restoration course of, particularly contemplating that this course of resulted in delayed affected person care.

Delayed System Updates

Lastly, the assault pressured the group to switch its timeline for rolling out an up to date digital well being file system. This technique was supposed to interchange the group’s present patchwork of well being file functions and create a extra built-in system to be utilized for each inpatient and outpatient care. Whereas UVM Well being Community had already carried out the primary section of this rollout in November 2019, the second and third phases have been pushed again to November 2021 and April 2022, respectively.

Classes Realized

There are a number of cybersecurity takeaways from the UVM Well being Community ransomware assault. Particularly, the incident showcased these key classes:

Worker Schooling Can’t be Ignored

Staff are sometimes the primary line of protection towards cyberattacks. In reality, as many as 90% of such assaults stem from human error. This subject was definitely emphasised throughout UVM Well being Community’s cyber incident. If the group had educated its workers on secure e-mail protocols and phishing detection
measures, it’s doable that this assault might have been averted altogether. As such, it’s essential to share the next cybersecurity greatest practices with workers:

  • Keep away from opening or responding to emails from unfamiliar people or organizations. If an e-mail claims to be from a trusted supply, confirm their identification by double-checking the tackle.
  • By no means click on on suspicious hyperlinks or pop-ups, whether or not they’re in an e-mail or on an internet site. Don’t obtain attachments or software program applications from unknown sources or places.
  • Make the most of distinctive, difficult passwords for all office accounts. By no means share credentials or different delicate info on-line.
  • Solely browse secure and safe web sites on office gadgets. Chorus from utilizing these gadgets for answering private emails or shopping the web on subjects unrelated to work.
  • Contact a supervisor or the IT division if suspicious exercise arises.

Efficient Safety Software program is a Should

After the assault, UVM Well being Community made it a precedence to dam workers’ entry to their private emails on all office gadgets, in addition to equip this know-how with extra superior safety software program. Whereas this software program might appear to be an costly funding, it’s value it to reduce the impacts
of probably devastating cyber incidents. Software program to think about consists of network-monitoring techniques, antivirus applications, firewalls, endpoint-detection merchandise and patch-management instruments. Additionally, it’s invaluable to conduct routine penetration testing to find out whether or not this software program possesses any safety gaps. If such testing reveals any issues, these points must be addressed instantly.

Cyber Incident Response Plans Make a Distinction

UVM Well being Community took an prolonged time period to get well from this incident, in the end rising disruption issues, delaying affected person care and compounding the general prices of the assault. Such prolonged restoration points spotlight how important it’s to have an efficient cyber incident response plan in place. This kind of plan can assist a corporation set up well timed response protocols for remaining operational and mitigating losses amid a cyber occasion. A
profitable incident response plan ought to define potential cyberattack situations, strategies for sustaining key capabilities throughout these situations and the people chargeable for finishing up such capabilities. This plan must be routinely reviewed via totally different actions—similar to tabletop workouts—to make sure effectiveness and establish ongoing vulnerabilities. Primarily based on the outcomes from these actions, the plan must be adjusted as wanted.

Ransomware Assaults Carry Distinctive Ramifications

It’s necessary to notice that UVM Well being Community made a wise selection by not complying with the cybercriminals’ calls for and as a substitute reaching out to the FBI throughout this incident. Whereas this apply is important to keep away from additional exploitation throughout ransomware assaults, doing so typically contributes to a lengthier incident restoration course of. That being stated, ransomware assault situations have to be thought-about when growing a cyber incident response plan. Specifically, the plan ought to tackle particular techniques for remaining operational throughout the prolonged restoration efforts that usually accompany such assaults. Moreover, it’s necessary that the plan prioritizes contacting regulation enforcement and dealing with insurance coverage companions for additional help when these occasions happen, as this apply can assist decrease potential losses, enhance incident investigation processes and higher establish perpetrators.

Correct Protection Can Present A lot-needed Safety

Lastly, this assault made it clear that no group—not even a serious well being care group—is resistant to cyber-related losses. That’s why it’s essential to make sure sufficient safety towards potential cyber incidents by securing correct protection. Contemplating how costly cyber occasions might be (particularly ransomware assaults), it’s greatest to fastidiously choose a coverage restrict that may present enough safety amid a pricey incident. Seek the advice of a trusted insurance coverage skilled when navigating these protection choices.

Contact INSURICA immediately for added threat administration assets.

This isn’t supposed to be exhaustive nor ought to any dialogue or opinions be construed as authorized recommendation. Readers ought to contact authorized counsel or an insurance coverage skilled for acceptable recommendation. © 2024 Zywave, Inc. All rights reserved.

LEAVE A REPLY

Please enter your comment!
Please enter your name here