Over the weekend, Universal Health Services (UHS) was hit by a cyberattack that targeted their network. Anonymous sources have reported that all computer systems are down, and medical staff are using pen and paper to conduct operations. The UHS released a statement that provides little information about the attack or the impact, calling it an IT security issue.
The UHS statement affirms that patients are still being cared for safely and effectively. Though this is somewhat reassuring, emergency room wait times have skyrocketed, and medical staff are unable to access records or use modern equipment that relies on network connection to function. Outdated tools and an IT nightmare are the only problems that have surfaced so far, but an attack of this magnitude has the potential to produce more serious consequences. Cyberattacks have huge impacts on every industry, but for healthcare systems in particular, an IT incident can be a matter of life and death. When patients rely on modern systems and machines for treatment, shutting down the network and effectively negating years of technological innovation could be catastrophic.
While the source of the incident is likely a type of ransomware, the precise method the attacker used to gain access to the UHS system is still unclear. Malware installation and unauthorized network access can occur through a variety of means. Phishing scams and other types of social engineering often target user credentials, allowing hackers to compromise a system from the inside. Loss, theft, or physical access to an employee device or hard drive could result in a security breach that compromises any confidential data that is on the device and gives the attacker network access.
According to the UHS statement, no employee or patient data is known to have been breached. However, this does not mean that a data breach has not occurred. It takes an average of 280 days to detect and contain a breach, so in the wake of a cyberattack, the possibility cannot be ruled out.
Breach reporting requirements are detailed in the HIPAA Breach Notification Rule. If a data breach is confirmed, the UHS must report it within 60 days to the individuals whose data was compromised and to the US Department of Health and Human Services (HHS). If the breach affects more than 500 individuals, they must also report it to the media, and the UHS will join the HHS list of data breach incidents. Unfortunately, this list is long and constantly expanding, highlighting the need for decisive changes in the way healthcare data is handled and safeguarded.
At this point there is no way of knowing exactly how many records may have been affected if a data breach occurred, and that uncertainty is a huge problem when it comes to personal health information (PHI). The UHS is a Fortune 500 company, with over 90,000 employees and 400 hospitals across the US and the UK. If even a fraction of their records are exposed, that means that hundreds of individuals could suffer consequences. If IT personnel cannot fix the problem, the best case scenario the UHS can hope for in this situation is paying the hackers a monetary sum in return for stopping the attack. However, PHI is valuable to buyers on the dark web who use it for identity theft and other malicious purposes. Even if the security vulnerability is fixed and the network becomes functional again, there is no guarantee that PHI and other data have not been compromised.
In any case, a healthcare cybersecurity incident is a serious issue. Having security measures in place to prevent cyber attacks and breaches is absolutely critical for health organizations, as well as for any third parties and associates that are involved in processing PHI.
DriveStrike is a security solution that enables companies to remotely wipe, lock, encrypt, and locate devices, preventing unauthorized access to devices, hard drives, and the data stored on them. DriveStrike provides essential functions to protect confidential data, especially in the event that an employee’s device is lost or stolen. Sign up for a free trial to start protecting your devices and data today, and give us a call at 877-519-0010 if you have any questions about healthcare data protection or cybersecurity in general.