If your breach is big enough, members of Congress take notice.
Such is the case for Universal Health Services. In a letter today, Senate Intelligence Committee Vice Chairman Mark Warner, D-Va., wrote to UHS Chairman and CEO Alan B. Miller to express “grave concerns” about a ransomware attack late last month and request more information on the company’s cybersecurity posture prior to the breach.
“As one of the nation’s largest medical facility operators with 3.5 million patient visits a year, it is imperative that medical care is provided to all patients without any interruption or disturbance created by inadequate cybersecurity,” Warner wrote. “While initial reports suggest that the attackers did not access patient or employee data, an incident such as this sharply highlights the need to ensure adequate cybersecurity hygiene in a healthcare setting.”
From broad to quite specific, Warner's letter provides insight into some of the questions companies could get asked by Congress or federal regulators in the wake of a ransomware attack. He inquired about the state of UHS cybersecurity prior to the attack, about details on vulnerability and patch management policies, about the extent of network segmentation between different facilities and systems, and about third-party risk management policies. He asked whether medical devices are isolated from administrative systems and networks to prevent disruption in the wake of an attack.
Warner also asked whether UHS decided to pay the ransom and if so, how much; he asked for confirmation that HIPAA protected data was not accessed or exfiltrated; and he asked the name of the senior executive overseeing the recovery and response efforts.
The incident was confirmed by UHS on Sept. 29. In an update posted Oct. 5, the company said that shortly after they became aware of an ongoing cyber attack on Sunday, Sept. 27, the company “quickly disconnected all systems and shut down the network in order to further propagation.” They claim that major information systems, like their electronic health records system, were “not directly impacted” and that they were working to bring other systems back online and restore others from backups.
Warner notes that cybersecurity experts have warned about the threat ransomware poses to the health sector for years and such activity has only heightened since the onset of the coronavirus pandemic pushed millions of employees to work from home.
Indeed, government agencies in the two countries where UHS operates, the U.S. Cybersecurity and Infrastructure Security and the United Kingdom’s National Cyber Security Centre, have both warned in recent months about the increased targeting of health care facilities by nation state hacking groups. In a newly released guidance document on how organizations should prepare for ransomware, CISA advises that restoring systems related to health and safety should be among the first priorities.
A bad breach can bring other aspects of a company's business operations under greater scrutiny. Large, consolidated health care companies with facilities that share interconnected software systems are particularly at risk, as a single breach could impact systems and patient data across state and country borders. Such distributed entities, Warner argued, have unique obligations around cybersecurity.
“With the full resources of a Fortune 500 company receiving over $11 billion in annual revenue, UHS’s patients expect and deserve that their provider’s cybersecurity posture be sufficiently mature and robust to prevent major interruptions to health care operations,” he said.