Two University of Florida (UF) Health hospitals recently noticed unusual activity within their computer systems, realizing quickly it was a data breach. UF Health is a healthcare network that provides care to counties throughout Florida. The hospitals affected include the Villages Regional Hospital and the UF Health Leesburg Hospital. Last October, several federal agencies warned about an upsurge of ransomware attacks against critical U.S. infrastructures. This includes the healthcare industry.
On May 31, staffers shut down multiple UF Health computer systems after unusual activity. The systems shut down included electronic health records as well as email. Personnel also suspended network connections between UF Health Central Florida and other UF Health facilities. After the incident, Frank Faust, a spokesman for the hospitals, stated:
Our information technology team has been collaborating with IT experts on our Gainesville and Jacksonville campuses to investigate what caused the situation and minimize any potential risks. In an abundance of caution, and to protect confidential [PHI], we implemented a series of backup procedures that enabled our staff to continue to provide comprehensive inpatient and outpatient care without interruption.
The two hospitals, which thankfully continued to function after the incident, are currently using pen and paper for patient care.
This is the second cyberattack involving UF Health within the past year. While the hospital has not confirmed the type of cyberattack, several local news outlets have called it a ransomware attack. The hospital has yet to confirm the cause of the breach.
Ransomware becomes increasingly problematic
Recently, there has been increased scrutiny on ransomware attacks because cyber attackers are focusing on critical infrastructures. Recent victims include the meat supplier JBS, Massachusetts Steamship Authority, New York Metropolitan Transportation Authority, and the Colonial Pipeline. Ransomware is malware (malicious software) used to deny a victim access to a system until a ransom is paid. Victims can download malware through phishing emails that include malicious attachments or fraudulent links. A simple click can give a hacker access to data for encryption, exfiltration, and/or ransom. Ransomware attacks have become so common that the U.S. government stepped in, calling these incidences a ransomware epidemic. Several governmental agencies recently created a task force, and the Department of Justice (DOJ) has even given ransomware attacks the same priority as terrorism. How these efforts will change things in the future is hard to say. Especially for healthcare providers currently fighting to continue patient care under these stressful circumstances.
Cyberattacks on healthcare
According to a Check Point report, the healthcare and utility sectors have been the most targeted industries for ransomware over the past year. Researchers observed a 21% increase during the first trimester of 2021 and a 7% increase in April alone. Some of this may be due to attacks that feed on fears surrinding the coronavirus pandemic, but reports also show that breaches have increasingly (and more sophisticatedly) occurred over the past several years. In fact, UF Health is the fourth health system—along with Alaska’s Department of Health and Social Services and Scripps Health—to experience an attack in just the last month. Such ransomware attacks cost the healthcare industry $20.8 billion in downtime in 2020, double the number from 2019. It’s daunting to think what this could mean for healthcare providers in 2021 if the trend continues.
Prevention and preparation
This is why prevention and preparation are the best-utilized tactics to combat future cyberattacks. And why the DOJ urges all organizations to protect themselves. Various organizations, such as the National Institute of Standards and Technology and Microsoft, have released best practices.
Generally, all such lists insist that cybersecurity must be layered for maximum protection and should include a mix of such features as:
- Cybersecurity training
- Access controls (e.g., password policies)
- Endpoint security (e.g., encryption, VPNs, and firewalls)
- Network segmentation
- Prompt patching and updates
- Email security (i.e., HIPAA compliant email)
And in case of a breach, a solid business continuity plan along with the proper backup and recovery processes. That’s because the best approach to cybersecurity is a zero-trust approach in which every person and every device that accesses a network is a potential threat. Rather than letting a breach cripple a system, make sure your cybersecurity provides you with appropriate layered defenses.