Lessons from UVM Medical Center cyberattack

In an era where cyber threats are evolving with alarming sophistication, ransomware attacks stand out as a particularly insidious menace. Seven months into the pandemic, the University of Vermont (UVM) Medical Center fell victim to such an attack, shutting its network down for 28 days and cost an estimated $40 to $50 million. Dr. Stephen Leffler, the COO of the medical center, recently testified before Congress, shedding light on the grim realities of dealing with these cyber onslaughts. 

“We’re the sole tertiary care hospital in our state. We did not have the option of stopping care, shutting down, or going on diversion. We knew we were going to have to take care of people.” Dr. Leffler shared.  

The attack affected crucial systems, disabling internet and phones and impacting radiology imaging, and laboratory results. The Electronic Medical Record (EMR) system was offline for over a month, pushing the staff back to the paper-era, a domain unfamiliar to many younger doctors. 

Without tools to communicate with each other or others, Dr. Leffler said on the second day of the cyberattack, a team had to go to Best Buy and purchase all the walkie talkies they had. By the next day, the backup of information they were relying on had run out.  

“The major issue that we faced is that in 2020, the best practice was to save 3 days worth of forward-looking information in your EMR. Our cyberattack happened on a Thursday. On Monday morning, our clinics did not know who was going to show up in the clinic that day, didn’t have their medical information, didn’t have their problem list, didn’t know what time they were coming, or for what.” Leffler continued.  

“I’ve been an emergency medicine doctor for 30 years, I’ve been the hospital president for 4 years. The cyberattack was much harder than the pandemic by far,” Dr. Leffler said.  

The Senate subcommittee hearing, where Dr. Leffler represented the healthcare sector, was a platform to discuss and deliberate on the escalating threat of ransomware. His firsthand account underscores the urgency of staying vigilant and adapting to more complex cybersecurity challenges. 

In this exclusive Q&A, Dr. Leffler delves deeper into the lessons learned from this crisis, offering insights that extend beyond his testimony and provide a closer look at the stakes involved and the impact on both the hospital and its patients. The conversation with Dr. Leffler is not just a recount of the tumultuous times but also a reflection on the way forward in securing our healthcare institutions against increasingly sophisticated cyber threats. 

Has the hospital implemented any new policies or best practices that could serve as a model for other healthcare institutions?

Leffler: Yes, we have, and we are continually working to upgrade our cybersecurity in an effort to stay one step ahead of these types of attacks. We’ve added more steps, added multifactor authentication to limit things people in the system, even administrators, can easily do. We have also learned that we need to have backups for our data, such as upcoming outpatient appointments, medication lists, everything, for far longer than 3 days, which was the previous industry standard. We have also ramped up training for our staff to ensure everyone knows what to look for.  

What lessons have been learned from the ransomware attack?

Leffler: We had strong security processes in place and had deployed a variety of tools to block malware attacks, yet we were still the victim of a cyberattack. We took care of patients safely, but it was hard. This really is an arms race. As we have all seen in the news over the past few years, the cyber criminals and actors are getting increasingly sophisticated, and so this important work to protect our systems will never be fully finished. We all are going to have to stay vigilant and continually update our tools and approaches to stay ahead of cyberattacks, and that will continue to be a high priority for the UVM Medical Center and the UVM Health Network going forward.  

One thing that was really important for us is a lesson that we are sharing with other organizations – make sure your IT team is empowered to shut down the system immediately without going up the chain of command if they think something is wrong. Our team was able to essentially turn off the system right away, and we believe that their choice to do that helped us avoid having patient information compromised during the cyberattack. We are also sharing that organizations should at least do a tabletop exercise to imagine what it would like to be down for as long as a month – without essentials like phones, schedules, or ways to get lab results to the floors.  

What additional support or regulations from federal or state governments would help bolster cybersecurity in healthcare settings?

Leffler: Hospital budgets are challenging, especially in 2023 as hospitals around the country face financial pressures from cost inflation, a national workforce shortage, and in our region a growing and aging population that needs more acute care. Support in the form of grant or other funding that would help health care organizations more cheaply buy cybersecurity-related programs, or keep programs up to date; or bring an organization up to standard and maintain strong backups, would help.    

How are you collaborating with other healthcare entities and the government to improve sector-wide cybersecurity?

Leffler: We have learned a lot of lessons from this experience – lessons that we have been sharing with the rest of our health care industry. We’ve worked hard to be transparent about our experience, lessons learned, and suggestions for other healthcare entities. Podcasts, interviews, etc. and this hearing is the latest step.  

Are there any specific recommendations you would make to Congress to support healthcare organizations in combating cyber threats?

 Leffler: Hospital budgets are challenging, especially in 2023 as hospitals around the country face financial pressures from cost inflation, a national workforce shortage, and in our region a growing and aging population that needs more acute care. Support in the form of grant or other funding that would help health care organizations more cheaply buy cybersecurity-related programs, or keep programs up to date; or bring an organization up to standard and maintain strong backups, would help.  

Editor’s Note: This interview has been edited and condensed for clarity.