You open your work laptop on your beach vacation and start to answer personal emails. Boom. A $50 million mistake.
When you return to work and log in a week later, the malware that crept on to your laptop on vacation travels out to the organization’s network. The entire network is infected and ultimately the organization becomes a ransomware victim. The malware came from an infected non-work email you received and opened.
This is what happened to the University of Vermont Medical Center (UVM) last October after an employee took a corporate laptop on vacation and used it for personal emails.
Nightmare Scenario Costs Tens of Millions
The attack first shut down the hospital’s applications. After two hours of investigating UVM’s IT team discovered a file with the attackers’ contact information and realized it was a ransomware attempt.
But the hospital decided not to contact the attackers and did not pay a ransom. Instead they cut off all internet connections to the hospital’s network to protect the data, leaving the health system to operate without access to most of its data for several weeks. They also contacted the FBI for their investigative help.
The malware traveled from one hacked email an employee received while on vacation, back through to more than 5,000 hospital computers and laptops and 1,300 servers at work. UVM had to wipe the computers, laptops and servers and then reinstall all data and software.
UVM furloughed or reassigned about 300 employees who were unable to perform their jobs while the systems were down. During the downtime UVM had to cancel or postpone some services, including elective procedures and cancer treatments. UVM estimates the total cost of the attack was $40 to $50 million, mostly in lost revenue. By the end of the year UVM had recovered from the attack. UVM executives said there is no evidence that any patient information was stolen or breached.
Security Improvements Can Help
Since the incident, UVM has taken security steps to combat future malware attacks. The IT department now sends out regular simulated phishing emails to employees in order to heighten awareness around the risk of phishing. If an employee clicks on it, the department provides immediate feedback to help them identify real phishing emails in the future.
The department has also blocked access to personal email on all work computers, installed anti-virus response software and advanced firewall protection, and restricted access to the corporate network.
Cybersecurity Lessons Learned
In healthcare electronic devices should only be used for healthcare purposes and not for personal matters. This includes desktop computers, laptops, tablets, servers, smartphones and USB drives; all electronic devices need to be inventoried and maintained by the organization’s IT staff, who can monitor and install software patches and updates as needed.
There are five simple steps you can take today to reduce your cybersecurity risks. It’s also critically important to do a thorough HIPAA Risk Analysis follow the Risk Management plan from that, and train the workforce in cybersecurity awareness.