Lessons Learned from the Universal Health Services Cyber Attack

November 17, 2020
Steve Wise

Healthcare providers of all sizes must ensure they are doing their due diligence to protect their networks and their patients.

In late September, computer systems at Universal Health Services Inc., (UHS) one of the nation’s largest hospital chains, were taken offline after a malicious ransomware attack crippled the company’s computers and led it to cancel surgeries and divert some ambulances. In the midst of a global pandemic, it sent healthcare providers across the world scrambling to make sure their networks are secure. Since that time, copycat attacks on healthcare-related facilities and firms have become increasingly common.

While UHS is a large organization, healthcare providers of all sizes must ensure they are doing their due diligence to protect their networks and their patients. As a CIO with a long career focused on cybersecurity in health care, I’ve learned you can’t be too cautious when it comes to networks. There is always room for improvement and, while it doesn’t necessarily cost a lot of money to protect a network, it does take time. The more you prepare for something like this the more it will mitigate risk when a breach happens. Just remember, it’s not a matter of if a cyberattack will happen, but of when.

Employee Awareness

The number one issue in protecting any healthcare organization’s network is employee awareness. Contrary to popular belief, most hacks do not happen because of employee integrity or character issues They are primarily due to negligence and ignorance. Often a breach happens when employees have lowered their guards. For example, phishing emails can be disguised as coming from companies such as Apple or Microsoft requesting an update or password change with a provided link. Of course, this link is actually designed to capture passwords and other sensitive information that will enable cybercriminals to access your network and create a breach.

The best weapon against these types of threats is education. Organizations should regularly train their teams to recognize red flags such as phishing emails or “smishing” text messages. This must take place on a regular basis. One option is to send emails once every few weeks educating teams on possible red flags and what to do if they receive one. If your team is working remotely, consider holding mandatory webinars on recognizing suspicious activity to decrease your overall risk.

Monitoring

Sometimes you can catch a problem before it happens. If you are a health care provider and use Salesforce, as do many of our clients, we recommend using data monitoring products tailored to that program such as Salesforce Shield or FairWarning. Products like these have settings designed to notify administrators if there is any unusual or unauthorized activity, helping prevent breaches from ever happening. But no software is perfect. Every system needs a human element with team members focused on various responsibilities to prevent breaches as well as proper and early reporting when a breach occurs.

Policies and Procedures

Make sure your team has very detailed policies and procedures in place to prevent breaches. The entire organization needs to understand the importance of, and their roles and responsibilities in, the continued cybersecurity of the organization. These policies and procedures must be updated and communicated when something changes. Leadership must have a plan for every step of the employee experience.

For example, what happens when new team members are hired? What elevates an activity from a potential to an actual threat? What happens when an employee leaves? These policies ensure that cybercriminals are neutralized before they are able to inflict harm on the network or leverage the firm’s data with malicious intent.

Network Access

One of the most important policies a company or organization can develop is its Network Access Policy. It is important that team members not have access to the network beyond their job function and seniority level. The last thing IT security teams want is for an employee to make a mistake with data they should never have accessed or are trained to use.

On the flip side, setting access restrictions that are too draconian can lead to frustration, lack of efficiency, and poor performance. So take the time to thoughtfully consider and regularly evaluate your team’s access protocols, as it can pay great dividends in the long run.

Test for Vulnerabilities

Organizations usually have some type of security software such as anti-virus, anti-malware, and anti-phishing software. With automatic updates, it is easy to keep security on each computer up to date. However, it is equally important to test the software. This can be done by a team member sending an email that mirrors an actual phishing email.

Better yet, hire an outside organization to try and “hack” your system. Upon completion, you should expect a detailed report on vulnerabilities within your network that you can use as a roadmap for improvements and training. While there is a price tag associated with these tests, they are more than worth it compared to the costs associated with an actual cyber attack.

Backups

Finally, find the appropriate frequency for data backups. Daily backups can be costly and monthly might not be frequent enough. If your data is ever compromised, it is important to minimize network downtime. While analog methods can be used to handle daily processes, leaving a temporary paper trail, if there is extended downtime, you may find your business is unable to recover from the dramatic loss of productivity and customer trust.

A cyberattack can come in many forms, from ransomware to corporate espionage. It is not a matter of if, but when it will happen to your organization, just as it did with Universal Health. While no network is ever completely safe, there are ways you can protect yourself, your team, and your customers. From creating solid policies to providing regular training and managing access, the more diligent you are, the more your risk will be mitigated. The decision is yours on how you can better strengthen your network. The important thing is to get started today.It’s never too late!

Steve Wise is the CIO of VALiNTRY and President of VALiNTRY’s Consulting Division.

Related Content:

News | Opinion