Historic ransomware attack cripples major U.S. healthcare system

October 11, 2020

7 min read

Dale Shulmistra

Data Protection Specialist @ Invenio IT
ransomware healthcare

Historic ransomware attack cripples major U.S. healthcare system

by Oct 11, 2020Security

On Sept. 27, one of the worst-ever ransomware attacks on the healthcare industry took place when Universal Health Services (UHS), a hospital network with more than 400 facilities across the USA and Great Britain, lost its computer network. The attack completely blocked access to computers across its expansive network. In the process, it created a safety risk for countless patients receiving care at these facilities across the globe.

The incident was the latest sign that ransomware attacks against healthcare systems are not easing up – and a reminder of the vital importance of deploying robust disaster recovery solutions. In healthcare settings, data backups can not only save the organization from a massive cyberattack, they can literally save lives.

What we know about the attack

The first sign of the attack was a gradual network slowdown. Then, individual computers started acting oddly and “started shutting down on [their] own,” according to one nurse interviewed by NBC News.

UHS hospitals were forced to move to paper systems, even in emergency-room settings. One healthcare worker said that while paper is “workable,” it vastly increases the workload for hospital staff. In turn, this slows down operations across the organization and can translate into slower care for patients. BleepingComputer reported that the affected hospitals redirected ambulances and relocated some patients to other nearby facilities.

The suspected culprit was Ryuk, a crypto-ransomware program that blocks access to every device on the network. This malware is typically introduced by other malware, like the Trojan TrickBot. Victims receive a message demanding Bitcoin payment, usually between 15 and 50 Bitcoins, or about $100,000 to $500,000 – but those demands can skyrocket in targeted attacks.

According to its initial press releases, it appears that Universal Health Services opted not to pay the ransom. While not openly admitting that this was a ransomware attack, Universal Health Services had confirmed that their entire IT network was currently offline “due to an IT security issue.” In a more recent statement from Oct. 3, the company said that it was still working through the problem and its network is being restored.

Saved by backups – this time

Fortunately, it appears that no patients were endangered and neither patient nor employee data were compromised in the attack. UHS shut down all computers and relied on its business continuity solutions to restore systems. In a statement, UHS said: “Our facilities are using their established back-up processes.”

Not all healthcare organizations have been so fortunate …

Recent ransomware attacks on healthcare

In September, a ransomware attack on a German hospital resulted in the death of a patient. The patient needed urgent care and was en route to the hospital, but was then diverted to another facility due to the ransomware attack. Authorities say that this delay was ultimately what contributed to her death.

In another incident in late September, a Philadelphia research facility was hit by a ransomware attack that slowed its clinical trials for coronavirus vaccines.

Early in the COVID-19 pandemic, some hackers indicated they would not go after hospitals during the global health crisis, but these latest attacks show that many hacker groups don’t care if they bring healthcare delivery to a slow walk.

It’s getting worse

According to CIS online, it’s “hard to ignore the recent increase in reporting of hospitals victimized by ransomware.” Health care remains one of the biggest targets for hackers, owing to its increasing reliance on internet-connected technology and the willingness of facilities to pay the ransom.

In September, another hospital – University Hospital in Newark, New Jersey – reportedly paid a $670,000 ransomware demand to prevent hackers from publishing nearly 240 GB of stolen data.

As a big player in the internet of things, hospitals (often with aging IT and unprotected devices) will remain prime targets for criminals who may just want to mine patient medical records or go for the easy money of ransomware threats.

How ransomware hurts healthcare facilities

Ransomware is a type of malware that has been around since 1980. It attacks and encrypts files on computers and servers. In the process, it corrupts a computer’s boot sector and make devices unusable unless the data is decrypted.

The result is that the system is essentially “kidnapped” and the user cannot access the operating system or files until they agree to pay a ransom. That ransom is typically in the form of anonymous and untraceable cryptocurrency, like Bitcoin. However, paying the ransom does not guarantee that the hackers will keep up their end of the bargain.

How it arrives

Over 75% of ransomware attacks are launched through compromises of remote desktop protocol (RDP) access points and email phishing. Hackers can buy RDP credentials on the dark web and couple them with equally cheap ransomware kits. In the last quarter of 2019 and first quarter of 2020, RDP compromises were around 60% of the ransomware sources.

The Ryuk ransomware that shut down United Healthcare Systems is mostly (about 95% of the time) a result of phishing email. Phishing relies on the natural curiosity and trust of frontline workers to open the door and spread the infection throughout every device on the system.

Phishing email can have a subject line or text that makes the healthcare worker believe the email is from a trusted sender. A curious click—whether opening an attachment or clicking a link—can begin a cascade of horrific events like the ones at UHS.

What it does

Ransomware enters the victim’s system and uses an unbreakable encryption. Once the system is infected with ransomware, without the key the system cannot be rescued unless a backup is available. Encryption takes plain text and scrambles it into an unreadable format. To unscramble the data, the user usually needs the decryption key.

Today’s ransomware pirates do their homework. Increasingly, they go after organizations that have the resources to quickly pay up to restore their system to normal. Hospitals and healthcare facilities are thus prime targets, because extensive downtime can have a direct impact on patient care.

A ransomware attack can have reverberating, disastrous effects on a healthcare facility:

  • Patient records can become inaccessible
  • Medication schedules can be lost
  • Medical devices can stop working
  • Computers and the network itself can become unusable
  • Email, phone and website systems can be knocked offline
  • Employees can be idled by the inability to access systems
  • Delivery of healthcare services can be significantly delayed or interrupted
  • Costs can skyrocket for each minute of downtime caused by the attack
  • Attacks can damage a provider’s reputation, even if the recovery is relatively fast

When there is no data backup available, or if the backup system is robust enough to recover the entire network, then paying the ransom can be a last-ditch effort to restore the organization to normal. However, authorities strongly discourage paying up, because it rewards the criminal behavior and creates an incentive for hackers to stay in business.

So, not surprisingly, ransomware attacks continue because they make money. In fact, according to some reports, the average ransom payment for the first quarter of 2020 was $111,605, up 33% from the last quarter of 2019. That average was skewed somewhat by large ransom payments from deep-pocket enterprise organizations. The median of just over $41,000, however, was only a fraction of the average, because the big ransom payments were, by volume, in the minority.

Also, according to ZDNet, ransomware accounted for 41% of all cyber insurance claims in the first half of 2020.

How healthcare orgs can combat ransomware


Preventing a ransomware attack from occurring is the first crucial layer of defense. One of the best ways to defend against ransomware is to keep the network and its operating systems patched and up to date.

Here are some basic precautions that can help limit the risk of an infection:

  • Activate firewalls on network and individual devices where appropriate.
  • Be alert to phishing emails. Never download attachments or click on links from unknown sources.
  • Restrict access to websites and IP addresses that are not needed for any work purposes.
  • Never load macros in Office programs. Choose “show hidden-file extension” to view file icons. If the hidden file extension is “.exe” or “.zip,” it could be self-launching malware.
  • Require multifactor authentication for access to all systems.
  • Use access controls to prevent users from accessing directories beyond those needed for their job responsibilities.
  • Deploy strong antimalware software across the organization to help detect infections and prevent access to known malicious sources.

Recovering from a Ransomware Attack

When an infection slips through, usually the most effective way to thwart the attack is to recover your data from a backup. This restores data back to a clean state and thus also removes the infection.

However, not all backup systems are up to the task. Older backup technology can make it extremely difficult to recover from a sprawling ransomware attack if the backups fail, can’t be restored quickly enough or simply weren’t performed frequently enough to prevent large-scale data loss. For example, if the last time you backed up was 12 Noon and the ransomware shut you down at 4 PM, you have lost four hours of data – a nightmare scenario for healthcare facilities.

Today’s best disaster recovery solutions offer greater backup frequencies and a wide range of recovery options. This enables healthcare IT personnel to employ the right restore option for the situation, for example: virtualized backups, bare metal restores, recovery point restores, ransomware rollbacks and so on.

The Datto SIRIS is a robust business continuity and disaster recovery (BC/DR) solution that can help healthcare organizations rapidly recover from data-loss incidents, whether it’s a massive ransomware attack or a few files that have been lost.

  • Datto creates incremental backups as frequently as every five minutes, using Inverse Chain Technology, which results in faster, more resilient, more efficient backups than traditional incrementals. These recovery points are your points in time to roll-back your system to where it was just before the ransomware attack occurred.
  • Datto also offers a business-saving technology called Instant Virtualization, which allows users to run applications from image-based backups on virtual machines. Commonly referred to as “recovery-in-place” or “instant recovery,” it provides a seamless method for a business to continue operations while recovering from a ransomware attack. Datto’s version is an instant solution for local or cloud recovery and can keep businesses up and running during disaster recovery operations.
  • Built-in ransomware protection also scans backups for signs of ransomware. If an infection is found, administrators are notified, so they can take action even swifter.

Learn more

Learn more about protecting your healthcare organization from a ransomware attack with BC/DR solutions from Datto. Request a free demo or speak to our business continuity experts at Invenio IT today. Call (646) 395-1170 or email success@invenioIT.com

New call-to-action