[BreachExchange] Ransomware Attack Delays EHR Rollout

[Destry Winant]

https://www.databreachtoday.com/ransomware-attack-delays-ehr-rollout-a-15714

The lingering aftershocks of an October ransomware attack and ongoing
COVID-19 response challenges are forcing the University of Vermont
Health Network to delay the next phases of an enterprisewide
electronic health record rollout.

The Burlington, Vermont-based healthcare system, which includes six
hospitals and other care facilities, says it will revise planned
implementation of next phases of its EHR system from Epic Systems
Corp, "amid the ongoing effort to respond to the COVID-19 pandemic and
restore normal operations following a recent cyberattack."

John Brumsted, M.D., president and CEO of the UVM Health Network,
notes in a statement: "In 2020, our network, like those across the
world, experienced tremendous challenges due to the COVID-19 pandemic,
only to be further encumbered by a ransomware attack."

Under the changed timeline, the "go live" phases for the EHR
implementations in several inpatient and outpatient units at UVM
facilities will be delayed four to eight months.

'Foundation Shaking Events'

"Major breach events, such as ransomware attacks, are typically
foundation shaking events for any organization," says former FBI
special agent Vincent D'Agostino, head of cyber forensics and incident
response at security vendor BlueVoyant.

"The response to these events will supersede any ordinary IT plans
until the crisis is resolved."

Drex DeFord, executive healthcare strategist of vendor CI Security who
is and a former healthcare and military CIO, offers a similar
perspective.

"There are multiple issues at play here - the ransomware attack and
long recovery process; the double-whammy financial impact of both the
ransomware attack and COVID-19; and the significant refocusing of
clinical staff on patient care and vaccine distribution," he says.

"The delayed implementation of a major project, in an effort to better
align resources and improve chances of project success, is a very
responsible move of the UVM leadership team. ... Other health systems
have also introduced delays to major EHR projects."

Ron Pelletier, founder of security consulting firm Pondurance, notes
that in many ransomware attacks, "not only has data has been acquired
by an unauthorized person or persons but, likely, administrative
control of systems that support and/or host it as well. Given this, it
seems a reasonable measure of due care that the organization should
understand the extent of the attack before proceeding with such a
major implementation."

Timeline Delayed

The multiyear UVM Health Network Epic EHR implementation project
replaces a patchwork of applications that are not fully integrated,
both within and between network hospitals, "often a barrier to
providing the highest quality and coordinated care when patients
receive treatment in multiple care settings," UVM said in its
statement.

"An electronic health record is one of the most significant things we
can do to ensure high quality care and create a seamless experience
for our patients. That is why it is absolutely critical to our
patients, our people, and our communities that we get the
implementation of this system right," Brumsted said.

"Given the obstacles we faced over the last year, modifying our
timeline for installation of the EHR is the right thing to do."

On its website, UVM notes that the October cyberattack "continues to
cause variable impacts, depending on the service and the location."
For instance, UVM says that at its Burlington medical center, the IT
team is continuing to restore access to certain applications, and that
"some areas - such as radiology - may still experience delays in
providing care."

UVM also notes that it did not pay a ransom to the hackers.

Growing Threats

The Oct. 28 attack on UVM came amid ransomware attacks on several
other healthcare entities across New England and other regions of the
country. Vermont Governor Phil Scott called up the state's National
Guard to assist in VMU's recovery (see Call in the National Guard:
Entities Respond to Threats).

The FBI and the U.S. Department of Homeland Security's Cybersecurity
and Infrastructure Security Agency issued an Oct. 28 alert warning
hospitals about a fresh wave of Ryuk ransomware attacks targeting
healthcare facilities around the country (see U.S. Hospitals Warned of
Fresh Wave of Ransomware Attacks).

Taking Action

What steps should other healthcare entities take to better prepare for
the potential long-lasting impact of ransomware attacks?

"Playing out the 'what if' scenarios is critical to their
preparedness," DeFord says. "We see them do it with annual disaster
planning, and you'll often see the CFO's team work through planning
alternatives associated with financial disruption. Certainly CIOs and
other IT project leaders are regularly asked to add/remove/change
project parameters on a regular basis."

Many security professionals have done great work building traditional
defenses, "but now they must shift to monitoring networks and
applications 24/7/365," DeFord notes. "The goal is to catch ransomware
or other cybercriminal activity quickly, put the fire out while it's
still small and return to normal operations with minimal disruption,"
he says.

"With a distributed, work-from-anywhere staff, relentless monitoring
of end points becomes even more critical."

Pelletier notes: "There is a tendency to view security incident
response planning and business continuity planning as mutually
exclusive activities, which can create a myopic outlook at risk
impact. ... Security incident response planning, on its own merits,
often has the goal of threat containment, eradication and recovery of
the affected systems and processes as expeditiously, though as
orderly, as possible."

A security incident response plan should be a component of an
enterprise business continuity plan "in order to estimate and account
for extended risk," he adds.