Submitted by: Daryl Haegley Director, Mission Assurance & Cyber Deterrence at the DOD and (CS)²AI Fellow
By MAGGIE MILLER 10/09/20
Sen. Mark Warner (D-Va.) on Friday raised concerns around a recent cyberattack on hospital chain Universal Health Services (UHS) that resulted in the data of millions of customers potentially being compromised.
In a letter to UHS Chairman and CEO Alan Miller, Warner, who serves as vice chairman of the Senate Intelligence Committee, asked a series of questions in relation to a ransomware attack on UHS last month that crashed systems at hospital facilities across the nation.
UHS has more than 400 facilities in the U.S. and United Kingdom, with more than 90,000 employees, and it has previously stressed that there is no evidence any data was stolen or accessed. NBC News reported last week that the incident had the potential to be one of the largest cyberattacks on the medical sector in U.S. history.
“I write you with grave concerns about United Health Services’ digital medical records and clinical healthcare operations succumbing to an apparent ransomware attack,” Warner wrote to Miller. “As one of the nation’s largest medical facility operators with 3.5 million patient visits a year, it is imperative that medical care is provided to all patients without any interruption or disturbance created by inadequate cybersecurity.”
Warner noted that “while initial reports suggest that the attackers did not access patient or employee data, an incident such as this sharply highlights the need to ensure adequate cybersecurity hygiene in a healthcare setting.”
The cyberattack took place in the midst of the COVID-19 pandemic, which has placed huge stress on health care groups around the world, with Warner noting that the attack on UHS “only exacerbates the consequences of insufficient cybersecurity.”
Warner asked Miller and UHS to respond to a series of questions around the attack within two weeks, including asking him to detail the company’s cybersecurity and risk management protocols and whether UHS has paid the ransom to the hackers.
“Patients deserve to know that healthcare systems are secure, particularly as the nation faces a pandemic straining resources nationwide,” Warner wrote. “When a cybersecurity failure occurs, patients need reassurance that their healthcare provider is committed to learning from and responding to this truly concerning incident, and that it is taking all appropriate steps to help ensure it cannot happen again.”
UHS did not respond to The Hill’s request for comment on the letter.
The health care company put out a statement last month acknowledging the attack and emphasizing that as of Sept. 29, the company had “no evidence that patient or employee data was accessed, copied or misused.”
“The Company has implemented extensive information technology security protocols and is working diligently with its security partners to restore its information technology operations as quickly as possible,” UHS said.
“In the meantime, while this matter may result in temporary disruptions to certain aspects of our clinical and financial operations, our acute care and behavioral health facilities are utilizing their established back-up processes including offline documentation methods,” it added. “Patient care continues to be delivered safely and effectively.”
Cyber criminals and nation state hackers have increasingly zeroed in on the health care sector during the COVID-19 pandemic, with ransomware attacks, which involve a hacker accessing and encrypting a system and demanding payment to reinstate access, becoming a major concern.