UMC Struggles to Recover from Extensive Ransomware Attack

As of October 11, UMC Health reported significant progress in restoring several key IT systems following a recent outage. Most notably, its Electronic Health Record (EHR) system is back online and operational across all UMC locations, a crucial milestone for patient care and internal operations.  

‍

Additionally, UMC has restored its “Find-a-Physician” feature on its website, allowing patients to resume access to physician information and appointments. Patients are now able to communicate with UMCP Clinics via the MyTeamCare patient portal, which has also been restored.

‍

Despite these advances, UMC acknowledged that there is still work to be done, particularly with restoring more patient-facing systems and internal programs crucial for patient care. UMC emphasized that while emergency services, including ambulance arrivals, remain operational, some patients are still being diverted.  

‍

The organization continues its investigation into the full nature and scope of the incident, working alongside third-party firms to ensure a safe and secure restoration of all services. For updates from UMC Health, see UMC IT Outage Update.

‍

Meanwhile, Texas Tech University Health Sciences Center (TTUHSC), which relies on UMC as its primary teaching hospital, is still working to restore its own IT systems.  

‍

In an update to faculty and students, TTUHSC informed them that deadlines may be reviewed and adjusted depending on the restoration progress. Faculty were advised to prioritize urgent tasks once the systems are restored.  

‍

TTUHSC continues its efforts to fully recover from the outage, which has impacted both teaching and administrative functions. For the latest from TTUHSC, refer to updates for students and faculty.

‍

Takeaway: The recent ransomware attack on UMC Health, which disrupted critical IT systems, has raised significant concerns about cybersecurity within healthcare organizations.  

‍

As UMC Health announced the restoration of its Electronic Health Record (EHR) systems and other key IT infrastructure, it became clear that this recovery process offers valuable insights into the complexities and challenges healthcare entities face during such attacks.  

‍

With two to three weeks having passed since the incident, UMC has made considerable progress, yet many "patient-facing systems, as well as internal programs for patient care" remain inoperative.  

‍

This raises an important question: were UMC’s EHRs compromised in the attack, or were they deliberately taken offline as a preventative measure?

‍

From a healthcare cybersecurity perspective, it’s plausible that UMC Health proactively took its EHRs offline to prevent the spread of ransomware across its network. By doing so, UMC could have been trying to mitigate the potential damage that ransomware might cause to critical systems tied to patient records and care operations.  

‍

While this approach would be a sound defensive strategy, the broader implications of the attack suggest a more complex scenario. Although UMC’s EHR servers have been restored, the continued inaccessibility of other patient-facing systems and internal care programs indicates a deeper disruption.  

‍

The issue likely goes beyond simply isolating the EHRs from ransomware. The fact that other essential systems remain offline suggests that workstations or devices, which healthcare providers use to access the EHR servers, may still be bricked.  

‍

These workstations could include the physical computers in hospitals and clinics that are vital for healthcare staff to interact with patient records. Without these fully functioning, operational efficiency is severely hindered, despite the restoration of core EHR servers.

‍

In large-scale ransomware attacks like the one on UMC Health, healthcare organizations often prioritize restoring their servers first. This is because the servers are the backbone of clinical operations, ensuring that essential patient data remains accessible.  

‍

However, after restoring the servers, organizations face the more labor-intensive task of reimaging or replacing individual workstations. This phased recovery approach helps restore critical functions like patient data access as soon as possible, even though access at the user level remains limited until all affected devices are fixed.

‍

The ongoing IT outage at Texas Tech University Health Sciences Center (TTUHSC), which partners with UMC Health as its primary teaching hospital, highlights another key concern in this incident.

‍

It is possible that the ransomware attack that impacted UMC Health is also affecting TTUHSC’s systems. If true, this situation underscores important lessons for healthcare organizations and their partners in preventing similar attacks.

‍

Ransomware operators aim to infiltrate as much of a network as possible before deploying their encryption payload. Their goal is to cause widespread disruption to maximize the ransom payment.  

‍

While UMC Health and TTUHSC are separate entities, their networks may be interconnected, potentially sharing infrastructure or data systems. If attackers managed to breach UMC’s systems and compromise user credentials, they could have moved laterally through shared network resources, affecting systems used by TTUHSC in the process.

‍

This scenario highlights the critical need for strong network segmentation in healthcare organizations. Segmentation limits the attacker’s ability to move laterally across different systems, reducing the overall impact of the attack.  

‍

Furthermore, organizations must adhere to the principle of least privilege, where user permissions are restricted to only what is necessary for specific roles. This security measure raises the bar for attackers attempting to escalate privileges and move deeper into the network.

‍

Additionally, this situation illustrates the multi-stage nature of ransomware attacks. The encryption event—when systems are locked down and a ransom demand is made—is often the final step of a prolonged attack process.  

‍

Leading up to that, attackers frequently engage in detectable behaviors, such as mass data exfiltration (often used in double extortion schemes), account compromise, privilege escalation, file enumeration, and the deployment of trojans or ransomware precursors like droppers.  

‍

These activities can unfold over days or even weeks, providing critical opportunities for detection and mitigation before the ransomware is activated.

‍

Organizations must focus on identifying and responding to these early-stage activities, which present opportunities to stop the attack before it reaches the encryption phase. By implementing robust monitoring and incident response protocols, healthcare organizations can detect and mitigate threats early, ultimately protecting both themselves and their partners from widespread disruption.

‍

In the case of the ransomware attack on UMC Health and TTUHSC, neither organization has yet confirmed whether sensitive data belonging to patients, students, or employees has been compromised.  

‍

Determining the extent of data compromise following a ransomware attack is a complex and time-consuming process, particularly in sectors like healthcare where sensitive information is at stake.

‍

Digital Forensics and Incident Response (DFIR) investigations can take weeks or even months to complete. These investigations require analyzing massive amounts of data to determine which information was accessed, how it was compromised, and whether it was exfiltrated.  

‍

Attackers often use sophisticated tactics to cover their tracks, which complicates the analysis and extends the timeline. Moreover, the loss of sensitive data triggers significant regulatory scrutiny, especially in the healthcare sector, where legal repercussions can be severe.

‍

Organizations face the challenge of balancing transparency with their legal and regulatory obligations. Before disclosing any potential data breaches, companies must fully understand the extent of the compromise.  

‍

They need to assess the risks they face from regulators, legal challenges, and their relationships with shareholders, patients, and other stakeholders. While transparency is important, they must also protect their legal interests as they navigate the complex investigation and remediation process.

‍

Ultimately, ransomware attacks on healthcare organizations, such as the one experienced by UMC Health and TTUHSC, represent not just financial risks but threats to national security. The increasing frequency of attacks on critical infrastructure, coupled with the potential for adversarial nations to exploit these incidents, underscores the need for a more robust response.

‍

Ransomware attacks targeting healthcare systems should not be treated as mere criminal matters; they are a matter of public safety and national security. Legislation is needed to address this growing threat, recognizing that the impact extends far beyond financial loss to endangering lives and critical services.

‍

‍

Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.