NEWS

'We got taken down': UVM Medical Center says cyberattackers were likely after money

Dan D'Ambrosio
Burlington Free Press
IT staff at the University of Vermont Medical Center in Burlington continue work to scan thousands of the hospital’s computer systems for malware on Friday, Nov. 20, 2020, after a cyberattack forced a shutdown of the hospital’s electronic medical records system and other key systems.

The October cyberattack that devastated the University of Vermont Medical Center's IT systems was "in the class of ransomware attacks," the hospital revealed for the first time Tuesday.

Dr. Doug Gentile, the hospital's senior vice president of network information technology, chose his words carefully in an afternoon Zoom call with reporters, saying the attackers included a file with information on how to contact them, but did not demand money in exchange for the tool to decrypt the hospital's files.

"We did not contact them, we have not had any contact with the attackers," Gentile said. "We considered it for about five seconds."

Gentile said he didn't know the motivation behind the attack, but assumed the attackers would have demanded money had the hospital contacted them.

For weeks, Dr. Stephen Leffler, president and chief operating officer of the hospital, has denied the attack involved a demand for ransom. The FBI previously gave UVMMC permission to characterize the attack as ransomware, Gentile said on Tuesday.

Dawn LeBaron, Vice President of Hospital Services at the University of Vermont Medical Center, displays a paper spreadsheet on Friday, Nov. 20, 2020. A cyberattack forced a shutdown of key systems including electronic medical records.

"I think the nuance there is we did not actually have a ransom note or request," Gentile said. "We had an indicator of how to contact the attackers. We assumed the reason to contact them was to hold us at ransom."

The investigation into the cyberattack by the FBI is ongoing, Gentile said, which is why the hospital has not shared many of the details of the attack.

What happened to my app?

The first indication that the hospital was under attack was when various applications stopped working, according to Gentile.

"Because there was no overt message, we didn't think it was malware," he said. "As we dug in and started an investigation we became increasingly suspicious."

A nurse at the University of Vermont Medical Center writes notes on a paper patient chart on Friday, Nov. 20, 2020, after a cyberattack forced a shutdown of key systems, including electronic medical records.

After about two hours, investigators found the file with contact information for the attackers. At that point, the hospital moved immediately to cut off access to its systems and the internet, Gentile said.

By cutting off access, the medical center was able to prevent the malware from infecting vendors and other hospitals in the UVM Health Network, Gentile said. The hospital also took Epic, its system for electronic health records, offline.

"Honestly because our entire infrastructure was down we weren't able to run Epic anyway," Gentile said. "It was the prudent thing to do." 

Wiping the malware clean

The cyberattack had two major impacts, according to Gentile. First the malware encrypted the files and data behind all of the hospital's infrastructure and applications on its servers. Second, the attack deposited malware on more than 5,000 computers and laptops used by the hospital.

Computers impacted by a cyberattack at the University of Vermont Medical Center in Burlington await retirement on Friday, Nov. 20, 2020. After the attack forced a shutdown of the hospital’s electronic medical records system and other key systems, the IT department, with support from the Vermont National Guard’s cyber team, scanned thousands of computers for malware and replaced machines for hospital staff.

"They do this for one reason," Gentile said. "It gives them persistence. If we don't respond they can come back in and do further damage."

The medical center had good backups, Gentile said, but the task of wiping computers, laptops and servers clean and reinstalling all the data and software was a "huge undertaking," requiring an entire month.

"If there's any good news in an event like this it's that there is no evidence that any patient or employee data was accessed or extracted," Gentile said. "At this point we're confident hackers didn't obtain patient information or other sensitive information."

Trying to stay ahead of the bad guys

About 80% of the hospital's applications have been restored, representing about 98% of its functions, according to Gentile.

"There are some specialty specific systems that need to be restored," he said. "The major systems are up."

In this image provided by the University of Vermont Health Network, nurses at the University of Vermont Medical Center in Burlington pore through paper records on Friday, Nov. 20, 2020. A cyberattack forced the hospital to return to paper records.

The medical center has scanned every computer and server for lingering indicators of malware and have found none, Gentile said.

"If we found anything we assumed the device was compromised," he said. "At this point we're as sure as we can be (that no malware remains.)"

The hospital has "learned lots of lessons" from the attack, Gentile said, which it is sharing with the rest of the industry in a variety of forums. Despite having strong security processes in place, he said, "we got taken down."

"This clearly is an arms race," Gentile said. "We all have to continually update our tools and approaches to stay ahead of the bad guys. Unfortunately, this is the world we're in."

Contact Dan D’Ambrosio at 660-1841 or ddambrosio@freepressmedia.com. Follow him on Twitter @DanDambrosioVT. This coverage is only possible with support from our readers.