Universal Health Services Network Outage: Lessons to LearnTips for How Not to Become the Next Ransomware Victim
In an updated statement on Monday, Universal Health Services says its IT network has been restored and applications are in the process of being reconnected. "More than half of our acute care hospitals are live already or scheduled to be live by the end of today. UHS has deployed a significant number of IT and clinical resources to the hospitals, to support the resumption of online operations. The go-lives will continue on a rolling basis; in the meantime, those working toward go-live are continuing to use their established back-up processes including offline documentation methods."
As Universal Health Services continues to recover from an apparent ransomware incident last weekend that affected system access for hundreds of its facilities, security experts say others can learn important lessons from the company's experience.
Those lessons include making sure all systems are automatically backed up to the cloud daily, conducting a smart risk assessment that scores each server, implementing micro-segmentation, ensuring access control standards are followed and monitoring the dark web for relevant malicious activity.
Network Still Offline
A UHS spokeswoman told Information Security Media Group on Thursday that the organization's national IT network was still offline, "but we are bringing applications back online on a rolling basis. We are making steady progress."
Also in an updated public statement, issued Thursday evening, it said the security incident "was caused by malware."
UHS says the cyberattack occurred early Sunday morning, after which the company shut down all network access across the U.S. "We have no indication at this time that any patient or employee data has been accessed, copied or misused. The company's U.K. operations have not been impacted," the statement says.
The company says it implements "extensive IT security protocols" to protect its systems and data and is working with its IT security partners to restore IT infrastructure and business operations as quickly as possible.
"Hackers are getting much more sophisticated, and health information is a prime target for hacking."
—Roger Severino, HHS OCR
The statement Thursday also notes: "We have a large number of corporate-level administrative systems, and the recovery process is either complete or well underway in a prioritized manner. We are making steady progress and are confident that we will be able to get hospital networks restored and reconnected soon."
UHS says its major information systems such as the electronic medical record were not directly impacted. "We are focused on restoring connections to these systems. In the meantime, our facilities are using their established back-up processes including offline documentation methods. Patient care continues to be delivered safely and effectively."
Although the company has declined to discuss details of the incident, a UHS insider told media outlet Bleeping Computer that, during the incident, files were being renamed to include the .ryk extension. This extension is used by the Ryuk ransomware.
Experts say Ryuk malware is commonly delivered via email from phishing links or attachments.
"From preliminary, unofficial reports, it sounds like hackers were able to get employees within the organization to click on an infected link in a phishing email, which downloaded Trojan malware - possibly Emotet - that is propagated in this manner," says Mike Wilson, chief technology officer and founder of security firm Enzoic.
"Once infected, this would have allowed the attackers remote access inside the organization to install additional malware to harvest and report back sensitive information from their network, including, for instance, administrative credentials from their IT organization," he says.
"Once they had harvested the appropriate admin credentials, they would have full access to deploy the Ryuk ransomware with relative ease. This is a relatively common blueprint for this type of attack, where employee or admin credentials are compromised via one method or another."
'Big Game Hunting'
The operators behind Ryuk typically infiltrate the environment first and map out all devices they're looking to target, says Tim Bandos, vice president of cybersecurity at security firm Digital Guardian.
"These types of devices are commonly domain controllers, databases and web servers. Depending on the level of access the adversaries have, they can then deploy the ransomware very easily through Windows Group Policy. This type of deployment would only take a matter of seconds to achieve."
Once an organization is infected, the impact can be disastrous, other experts say.
"Ryuk ransomware works to shut down all systems once it has attained 'elevated' or administrative privileges and deletes backup files," says Lee McKnight, a professor at Syracuse University. "So all end points can be shut down/made inaccessible as Ryuk operators - manually - determine which exact systems to take down.
"This is a 'big-game hunting' tool for hacker groups that invest time - and therefore money - to attack major firms from which they expect to extract large ransom payments."
Ransomware attacks are a growing threat to the healthcare sector, Roger Severino, director of the Office for Civil Rights at the U.S. Department of Health and Human Services, tells ISMG.
"Hackers are getting much more sophisticated, and health information is a prime target for hacking. ... And healthcare systems are willing to pay money to hackers to get their data back if it is victim to ransomware," he says.
"Our [HIPAA] breach reports have seen a significant uptick in hacking incidents. Sixty-two percent of our large breach reports from 2019 to year to date are hacking incidents. Providers really need to take these threats seriously."
One essential risk mitigation step, Severino says, is conducting a thorough enterprisewide risk analysis. Organizations that fail to conduct an analysis "won't find their vulnerabilities," he notes. "Guess who will find their vulnerabilities? The bad actors."
Preparing for the Worst
Among key lessons to take away from the UHS breach "is how hard it is to undo the repercussions of a cyber incident," says Ido Geffen, a vice president at security firm CyberMDX.
All organizations must "work quickly and diligently to improve their cyber posture," he says. "For hospitals to be dynamic enough for dealing with this type of attack, they should take a 'multiple layers of protection' approach."
Key steps, he says, include having an updated inventory of all the connected servers with the relevant attributes, conducting a smart risk assessment that scores each server based on a CVSS score and the device criticality level, and creating a prioritized remediation plan, he says.
To limit the disruption caused by cyber incidents such as ransomware, McKnight says it's critical to ensure all systems are automatically backed up to the cloud daily.
"Work with cloud vendors to institute 'micro-segmentation' so that subnetworks or virtual network 'slices' segment different aspects of the enterprise. That way, a breach in one area is not readily able to cross-infect other systems," he says.
"Pay attention to the dark web, or pay someone who does."
—Lee McKnight, Syracuse University
"If not already in place, ensure access controls and least privileges standards are followed - since most people do not need to have access to most systems and data. In NIST-speak: AC-5 and AC-6. If your IT security people do not know what those are, fire them and hire someone who has a clue. Now. Today."
McKnight also says organizations must "pay attention to the dark web, or pay someone who does." In the UHS case, he says, "independent cybersecurity researchers could see that UHS systems were communicating with known malware for months ... and apparently no one at UHS was paying attention," he contends.
Bandos offers actions that organizations can take to mitigate the risk of ransomware attacks and other cyber incidents. They include:
- Disable the ability to run macros on systems to reduce the chance of malicious documents installing malware.
- Remove administrative privileges from employee laptops to help prevent unwanted programs from running.
- Leverage URL reputation services to identify suspicious URLs and links.
- Whitelist applications on devices to prevent malicious applications from running.
- Implement architectural controls for network segmentation to limit or prevent lateral propagation.
- Keep devices patched and up to date.
- Use a next-generation antivirus or endpoint protection platform to enable administrators to block malicious commands that run from native Windows tools.
"Any externally facing servers - with direct access from the internet - running the Remote Desktop Protocol port would be extremely vulnerable to these types of intrusions," Bandos adds. "Attackers have been targeting these systems more and more in recent years since they're easy to discover and can use brute force/password guessing techniques in order to compromise."
Hackers may also look to identify any unpatched web servers running outdated versions of applications, Bandos adds.
"This would allow the attacker to exploit the system and acquire direct access. Additionally, recent studies have shown that almost half of hospital devices are still vulnerable to the BlueKeep Windows flaw that was announced over a year ago," he says.
"These types of vulnerabilities only make the job easier for the attackers to spread their malicious software."