Ransomware Attack Delays EHR RolloutVermont Health Network Postpones Next Phases
The lingering aftershocks of an October ransomware attack and ongoing COVID-19 response challenges are forcing the University of Vermont Health Network to delay the next phases of an enterprisewide electronic health record rollout.
The Burlington, Vermont-based healthcare system, which includes six hospitals and other care facilities, says it will revise planned implementation of next phases of its EHR system from Epic Systems Corp, "amid the ongoing effort to respond to the COVID-19 pandemic and restore normal operations following a recent cyberattack."
John Brumsted, M.D., president and CEO of the UVM Health Network, notes in a statement: "In 2020, our network, like those across the world, experienced tremendous challenges due to the COVID-19 pandemic, only to be further encumbered by a ransomware attack."
Under the changed timeline, the "go live" phases for the EHR implementations in several inpatient and outpatient units at UVM facilities will be delayed four to eight months.
'Foundation Shaking Events'
"Major breach events, such as ransomware attacks, are typically foundation shaking events for any organization," says former FBI special agent Vincent D'Agostino, head of cyber forensics and incident response at security vendor BlueVoyant.
"The response to these events will supersede any ordinary IT plans until the crisis is resolved."
Drex DeFord, executive healthcare strategist of vendor CI Security who is and a former healthcare and military CIO, offers a similar perspective.
"There are multiple issues at play here - the ransomware attack and long recovery process; the double-whammy financial impact of both the ransomware attack and COVID-19; and the significant refocusing of clinical staff on patient care and vaccine distribution," he says.
"The delayed implementation of a major project, in an effort to better align resources and improve chances of project success, is a very responsible move of the UVM leadership team. ... Other health systems have also introduced delays to major EHR projects."
Ron Pelletier, founder of security consulting firm Pondurance, notes that in many ransomware attacks, "not only has data has been acquired by an unauthorized person or persons but, likely, administrative control of systems that support and/or host it as well. Given this, it seems a reasonable measure of due care that the organization should understand the extent of the attack before proceeding with such a major implementation."
The multiyear UVM Health Network Epic EHR implementation project replaces a patchwork of applications that are not fully integrated, both within and between network hospitals, "often a barrier to providing the highest quality and coordinated care when patients receive treatment in multiple care settings," UVM said in its statement.
"An electronic health record is one of the most significant things we can do to ensure high quality care and create a seamless experience for our patients. That is why it is absolutely critical to our patients, our people, and our communities that we get the implementation of this system right," Brumsted said.
"Given the obstacles we faced over the last year, modifying our timeline for installation of the EHR is the right thing to do."
On its website, UVM notes that the October cyberattack "continues to cause variable impacts, depending on the service and the location." For instance, UVM says that at its Burlington medical center, the IT team is continuing to restore access to certain applications, and that "some areas - such as radiology - may still experience delays in providing care."
UVM also notes that it did not pay a ransom to the hackers.
The Oct. 28 attack on UVM came amid ransomware attacks on several other healthcare entities across New England and other regions of the country. Vermont Governor Phil Scott called up the state's National Guard to assist in VMU's recovery (see Call in the National Guard: Entities Respond to Threats).
The FBI and the U.S. Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued an Oct. 28 alert warning hospitals about a fresh wave of Ryuk ransomware attacks targeting healthcare facilities around the country (see U.S. Hospitals Warned of Fresh Wave of Ransomware Attacks).
What steps should other healthcare entities take to better prepare for the potential long-lasting impact of ransomware attacks?
"Playing out the 'what if' scenarios is critical to their preparedness," DeFord says. "We see them do it with annual disaster planning, and you'll often see the CFO's team work through planning alternatives associated with financial disruption. Certainly CIOs and other IT project leaders are regularly asked to add/remove/change project parameters on a regular basis."
Many security professionals have done great work building traditional defenses, "but now they must shift to monitoring networks and applications 24/7/365," DeFord notes. "The goal is to catch ransomware or other cybercriminal activity quickly, put the fire out while it's still small and return to normal operations with minimal disruption," he says.
"With a distributed, work-from-anywhere staff, relentless monitoring of end points becomes even more critical."
Pelletier notes: "There is a tendency to view security incident response planning and business continuity planning as mutually exclusive activities, which can create a myopic outlook at risk impact. ... Security incident response planning, on its own merits, often has the goal of threat containment, eradication and recovery of the affected systems and processes as expeditiously, though as orderly, as possible."
A security incident response plan should be a component of an enterprise business continuity plan "in order to estimate and account for extended risk," he adds.