[BreachExchange] Universal Health Services' IT Network Crippled

Destry Winant destry at riskbasedsecurity.com
Wed Sep 30 10:23:29 EDT 2020 

https://www.databreachtoday.com/universal-health-services-network-crippled-a-15074

UPDATE: Tuesday, Universal Health Services issued an updated statement
and also filed a form 8-K with the Securities and Exchange Commission
about the incident. It notes that the company "suspended user access
to its information technology applications related to operations
located in the United States. The company has implemented extensive
information technology security protocols and is working diligently
with its security partners to restore its information technology
operations as quickly as possible. In the meantime, while this matter
may result in temporary disruptions to certain aspects of the
company's clinical and financial operations, the company's acute care
and behavioral health facilities are utilizing their established
back-up processes including offline documentation methods. Patient
care continues to be delivered safely and effectively."

A security incident that apparently involved ransomware has crippled
the network of Universal Health Services, which owns hundreds of
facilities across the U.S.

In a Monday statement, UHS, a publicly traded company based in King of
Prussia, Pennsylvania, says: "The IT network across Universal Health
Services facilities is currently offline, due to an IT security issue.
We implement extensive IT security protocols and are working
diligently with our IT security partners to restore IT operations as
quickly as possible."

The statement adds: "In the meantime, our facilities are using their
established back-up processes including offline documentation methods.
Patient care continues to be delivered safely and effectively. No
patient or employee data appears to have been accessed, copied or
otherwise compromised."

UHS says it treats 3.5 million patients annually and reported revenue
of more than $11 billion in 2019. Its 400 facilities include acute
care hospitals, behavioral health and residential treatment facilities
and outpatient centers across the U.S., Puerto Rico and the United
Kingdom.

A spokeswoman for UHS tells Information Security Media Group that UHS'
U.K. facilities are not affected by the incident. She declined further
comment beyond the company's statement.

'Shut Down'

According to a post on Reddit by an individual who claims to work at a
UHS facility in the Southeastern U.S., on Sunday at approximately 2
a.m., systems in the facility's emergency department "just began
shutting down."

The individual says: "I was sitting at my computer charting when all
of this started. It was surreal and definitely seemed to propagate
over the network. All machines in my department are Dell Win10 boxes."

Anti-virus programs were disabled by the attack, and hard drives "just
lit up with activity," the individual writes. "After one minute or so
of this, the computers logged out and shutdown. When you try to power
back on the computers they automatically just shut down. We have no
access to anything computer based including old labs, EKGs, or
radiology studies. We have no access to our PACS radiology system."

Media outlet Bleeping Computer reports that an UHS insider says that
during the incident, files were being renamed to include the .ryk
extension. This extension is used by the Ryuk ransomware.

Likewise, citing "people familiar with the incident," the Wall Street
Journal reports that the attack did indeed involve ransomware.

'Safety Risk to Patients'

Brett Callow, a security threat analyst at Emisoft, tells ISMG that
Ryuk is operated by a number of groups.

"However, the original gangsters seemingly took a hiatus in spring
after which incidents tailed off considerably. Unfortunately, the
original gangsters appear to a back in action with a series of very
highly targeted attacks," he says.

"Attacks on healthcare organizations, and especially hospitals,
represent a serious risk to patients," he says. For example, a recent
ransomware incident at a German hospital allegedly resulted in the
death of a patient who needed to be transported to another facility,
delaying emergency care (see: Ransomware Attack at Hospital Leads to
Patient's Death).

"We firmly believe that the only way stop these [ransomware] attacks -
and to keep hospitals safe - is to ban the payment of demands," he
says. "Should that not happen, attacks will continue and more deaths
are highly likely."

But it is not just the healthcare sector that is seeing an uptick in
high profile ransomware incidents, says Ilia Sotnikov, vice president
at security vendor Netwrix. "Even outside of healthcare facilities,
our daily lives largely depend on the network of connected computers
and devices," Sotnikov notes. "In cases of cybercriminal activity, the
end game is getting money, but unfortunately there are other attacker
types, such as nation states or terrorist groups, that may want to
leverage cybersecurity to cause real damage."

More information about the BreachExchange mailing list