How Vermont’s largest hospital now protects patient info 3 years after ransomware attack
BURLINGTON, Vt. (WCAX) - Nearly three years after Vermont’s largest hospital fell victim to a ransomware attack, hospital officials say they’ve made progress toward better systems to protect patient information.
During the breach, nearly 1,300 servers were compromised on more than 5,000 devices across the UVM Health Network. Hospital officials say while no patient or employee information was stolen, the process cost them $65 million.
In the years since the attack, hospital officials say they’ve been able to strengthen their systems. However, experts say threats like this are becoming more commonplace.
“It affected every single part of our function, everything that we do... Unbelievable,” UVM Medical Center President and COO Dr. Stephen Leffler testified before a joint committee on Capitol Hill, referring to the employee-caused ransomware attack that compromised thousands of devices within the network in October 2020.
“Someone had their computer at home, clicked on something, plugged back into the system when they came back to work-- that’s how it happened,” Leffler said.
One click that left more than 5,000 devices across the health network under siege.
Leffler said the hospital’s IT department acted quickly and shut down everything from the internet to the hospital’s electronic medical record systems. That forced staffers to switch to paper records. The shutdown lasted nearly a month.
“You can practice all you want and we practice frequently to be down a day or two, but no one is prepared for 28 days,” Leffler said.
In the years following the attack, Leffler said the hospital has taken significant steps to double down on cybersecurity, like adding more layers of authenticating and strengthening the process to access electronic records.
“So if it happens again, I think people should be reassured that we did well the first time and we’re even more prepared now,” he said.
Despite added protections, cybersecurity experts warn threats like this one are ever-evolving, and to protect against them, it can start with you.
“I want to make it so that everyone has a security mindset so that when they see something, they immediately question it. And until organizations like Microsoft and all the other email providers do a better job of filtering those garbage emails out, those phishing attempts and the spam, it’s going to be a part of our life,” said Henry Collier, a cybersecurity expert at Norwich University.
Leffler said training for staff has improved dramatically as well. The hospital has even worked with the IT department to send out emails with fake links to use as teaching moments for employees who interact with them.
In his testimony on Capitol Hill, Leffler called on lawmakers to push for more federal grants to help purchase stronger security software.
Copyright 2023 WCAX. All rights reserved.