Malware, Ransomware

Health care ransomware attacks: Oklahoma health system driven to EHR downtime

Stillwater Medical Center was hit with a ransomware attack on June 13 and is currently operating under EHR downtime as it attempts to bring its systems back online. (Stillwater Medical Center)

Stillwater Medical Center was hit with a ransomware attack on June 13 and is currently operating under electronic health record downtime as it attempts to bring its systems back online. The health system operates a number of care sites, specialist offices, hospitals and clinics in Oklahoma. 

According to the health care provider, the IT team quickly moved to ensure the security of the environment after the incident impacted access to certain systems. Upon discovery, officials contacted law enforcement and engaged with a computer forensic firm to assist with the recovery process. 

In the immediate wake of the attack, Stillwater experienced major disruptions of its phone systems, and patients were urged to call 911 in the event of an emergency. On social media, reports show the online patient portal, app and email system were also impacted by the incident. 

Patient care continues to be provided, but some appointments have been canceled and will be rescheduled. The latest update on June 15 shows that phone service continues to be working only intermittently throughout the health system. 

The incident is the latest in a string of attacks on health care organizations. Here is the latest on some of the most recent.

UF Health remains offline, two weeks after cyberattack 

The Stillwater incident bears hallmarks to the cyberattack on two University of Florida Health hospitals two weeks ago. The Villages Regional Hospital and Leesburg Hospital have been operating under downtime procedures after a suspected ransomware attack on May 31. 

The Villages is one of the largest U.S. retirement communities, with over 130,000 residents. 

The cyberattack caused unusual activity on the computer systems, prompting the IT staff to quickly shut down multiple IT systems in an effort to protect patient data and slow the spread. 

The IT team for both hospitals are working in tandem on the investigation and recovery efforts. The team has also suspended access to system platforms, including the communication lines between all UF Health hospitals and the University of Florida campus. 

Since the attack, clinicians have been documenting all patient care with pen and paper processes. 

The latest update from local news outlet WESH 2 shows the hospitals are continuing to operate under EHR downtime procedures, and some employees are concerned that the cyberattack is negatively impacting patient care. 

One staff member reported that without EHR access, clinicians are unable to verify patient allergies or potential drugs to avoid. Other clinicians reported that the system outages have caused patients to either miss medications or to receive the wrong prescription. 

The hospital staff is calling pharmacies directly to verify patient prescription histories. There have also been reports of staff inadvertently matching patients with the wrong lab chart. The outages have also caused long delays in the receipt of lab reports. 

For now, UF Health’s IT teams are continuing their attempts to bring the systems offline. Officials have not yet determined how long the process will take. 

Ireland HSE ransomware incident: Month-long recovery efforts continue 

The Ireland Health Service Executive (HSE), the country’s public health system, is still trying to bring its systems back online after a “significant ransomware attack” crippled its network on May 14

The latest update at 10 a.m. ET on June 16 shows HSE is continuing to ask patients to bring their health information with them to the emergency department, such as medical record or patient chart numbers, a list of medications, and any previous discharge summaries, to assist the care staff.

The attack has been attributed to the notorious Conti hacking group, which has targeted the health care sector in the last year, even as the industry fought to combat the pandemic. The attackers have dumped troves of health care data from multiple health care entities connected to these attacks. 

The cyberattack has caused massive IT issues across the Ireland East Hospital Group, with HSE telling patients to check into the emergency department for only life-threatening conditions. Patient care has continued throughout the event and recovery efforts, but some outpatient appointments were canceled. Non-urgent patients were told to expect long delays. 

The radiology and medical imaging departments across all sites appear to have been the hardest hit by the attack. Immediately following the attack, appointments for those departments were canceled. 

An internal memo earlier this week shows that recovery is well established and activity levels have increased at most care sites. 

“Notwithstanding the substantial technical recovery and improved operational capacity, it’s evident that information and communications technology (ICT) and clinical communication systems fall short of what is required to work safely and deliver care at an acceptable level of risk,” HSE Chief Clinical Officer Colm Henry, MD, explained to staff. 

“In most instances workarounds remain in place,” he added. “Major ICT systems such as NIMIS, Apex and ICM have been restored, but not to the level required to provide system integration and seamless clinical communication. It remains the case that recovery of ICT systems is not synonymous with service recovery.” 

HSE is prioritizing restoration based on risk and clinical need, but ICT recovery is “patchy and inconsistent,” and internet access has not been restored. 

The CCO also noted that radiologists are still required to be on site for on-call shifts, while stressing that it's understood that the situation is straining staff.

The IT team is currently uploading backlogs and reconciling patient records.  As the team works to search, cleanse and rebuild systems, in some cases they’ve discovered certain systems and devices have been destroyed beyond repair. 

“Scheduled care has, [by] necessity, now resumed in hospitals. Recovery in community services has been slower and this represents a burden on elements of the care pathway. While the level and pace of recovery remains variable, I am grateful for your collective patience and collaboration,” Henry concluded. 

The HSE has been a model for transparency, using its social media account to provide frequent and detailed information into the ongoing network outages and care disruptions. More often than not, health care providers are known for vague communication with the public after a breach or security incident. 

Emsisoft provided HSE with a free decryptor, in lieu of the one provided by attackers, and the health system has partnered with government agencies and the private sector to remediate the attack impact. 

New Zealand Waikato DHB remains in EHR downtime, one month after attack 

More than one month after a ransomware attack struck multiple hospitals of the Waikato District Health Board (DHB) in New Zealand, the IT team is still attempting to bring a host of services back online, according to local news outlet Otago Daily Times

Clinicians are continuing to operate with EHR downtime procedures and using pen and paper to record patient interactions. DHB hired hundreds of additional IT workforce members to assist with recovery efforts, as officials refused to pay the attackers’ demands. 

As a result, the team has been able to restore about 20 percent of its workstation network and more than half of its servers. 

The DHB attack occurred several days after the Ireland HSE security incident, with similar results: major IT outages, downed phone lines, and computer system failures. All clinical systems and IT services, outside of email, were disrupted by the attack. 

Reports from on-site clinicians and staff members showed the cyberattack caused chaos at the impacted hospitals. Providers have been unable to send x-ray images between departments, access patient notes, or access patient records. 

In the immediate wake of the attack, the public was urged not to visit the emergency departments, unless it was a life-saving incident, and elective surgeries were postponed. Non-emergency patients were diverted to nearby care sites. 

The latest update shows DHB was able to bring two out of four radiation therapy machines back online, which has enabled treatments to resume for those patients. DHB leadership called the recovery an “important milestone.” 

DHB has also restored access to several other systems, including its communication lines, some computer applications, and email accounts. Leadership has prioritized the recovery of radiation, lab, radiology and patient management systems. 

However, there is much work to be done to recover the remaining systems, as DHB employs hundreds of servers, multiple network sites, and thousands of workstations and mobile devices. 

DHB is continuing to work alongside an outside specialist services firm to secure and test each device and system before bringing the tech safely back online. The timeline for full recovery is still unknown. 

Ongoing ransomware wave 

The health care sector is amid yet another ransomware wave, after a previous onslaught of attacks and EHR outages investigated by the FBI in the fall of 2020. Recent Check Point data shows provider organizations have continued to be a leading target for nefarious actors. 

Since April, researchers have observed an average of 1,000 entities affected by ransomware attacks each week, or a 21 percent rise during the first trimester of 2021 and a seven percent increase in April. These attacks show no signs of slowing down. 

In the first half of 2021, so far ransomware attacks have brought down the network of multiple providers, including Scripps HealthRehoboth McKinley Christian Hospital in Gallup, New Mexico, Arizona-based Cochise Eye and Laser, St. Margaret’s Health–Spring Valley, and Allergy Partners in North Carolina, among others. 

On average, ransomware attacks cause about 15 days of EHR downtime, on average, according to Coveware estimates

As a reminder to health care entities, Emsisoft has previously offered to provide free assistance with ransomware recovery amid the pandemic response and in light of the targeted attacks.  

Providers should also review ransomware resources from the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency and also NIST to ensure they’ve employed best practice defense and mitigation measures. 

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.