UK was ‘perilously close’ to more dire outcome in 2020 cyberattack on hospital, audit shows
An after-action audit of what was called the most substantial cyberattack in University of Kentucky history found that the university expended nearly $5 million to contain and expel attackers that hobbled university hospital systems for months last year.
There was no evidence that protected patient health information was ever compromised in the attack, which sought to use the power of vast university systems to mine cryptocurrency (like Bitcoin), according to the 46-page report from UK’s office of Internal Audit. The attack was formally halted during a mass reboot in early March 2020, just as the state’s first confirmed COVID-19 patient was being isolated in a UK hospital.
The attack appeared to be limited to the university’s hospital system, UK HealthCare, and because of the apparent singular focus of the attackers on mining cryptocurrency, UK as a whole avoided a far more dire outcome.
“(T)he reality is that the university was perilously close to an enterprise-wide event that could have completely halted operations across the enterprise,” the audit stated.
UK IT has made ‘marked progress’ since attack
In the year since the attack, the university’s and UK HealthCare’s information technology professionals have made “marked progress” in strengthening defenses against future cyberattacks, the audit stated.
Outside forensic firms and other third-party consultations were brought in to analyze the attack. Additional malware software was installed across the university and the prevention and detection of cyber threats was better steamlined and centralized.
“The work of cyber security never stops. It is an ongoing process,” said UK spokesperson Jay Blanton, in a statement. “The work of a number of individuals across our campus stopped this attempted breach last year.”
Going forward the university will also decrease who has access to administrative accounts, continue to collaborate with Microsoft and IT for directory design and management, more aggressively scan public IP addresses and develop a “quarantine network” and a new guest network within UK HealthCare, the university said in a release on the audit.
The $5 million cost was a combination of direct action against the cyberattack, time spent by staff reining in the attack, bringing in outside consultants and lost revenue because of compromised computer systems, the audit stated.
‘Critical risks remain’
“However, critical risks remain, making it imperative that steps be taken immediately to mitigate these risks and help prevent future cyber attacks,” stated the audit.
An analysis from Microsoft, referenced in the audit, stated that no systems or accounts outside of the university’s healthcare wing were compromised, however the company indicated that it was possible that had the attackers gone further “there would have been little to stop them from taking over the university’s systems, locking them down and demanding a ransom.”
“Fortunately, evidence indicates that the attackers seemed to be singularly focused on using UKHC’s systems to mine cryptocurrency and did not exploit this opportunity,” the audit stated.
When the attack was first halted, university officials said the attack originated outside the United States and likely began in early February 2020. The newly released audit stated that there are indications that the attackers might have infiltrated university systems as early as December 2019 and there was confirmed evidence that the intrusion reached a healthcare application in early January 2020.
“On January 7, 2020, an unpatched, publicly-accessible UK HealthCare (UKHC) web server was exploited by a cyber attacker, leading to the infection of thousands of endpoints (desktop computers, laptops, servers, etc.), the eventual downtime of UKHC production systems, and a costly months-long incident response effort by multiple entities across the university,” the audit stated.
Throughout late January and early February, officials missed opportunities to get greater assistance in stymieing the attack.
According to a timeline of the university’s response, on Jan. 21, the first of numerous compromised healthcare accounts was shutdown. Two days later, hospital IT personnel reported the malware issues to Microsoft but didn’t put in a work order. Microsoft followed up on the issues, but was told “their assistance was not needed.”
On Feb. 4, the same day a UK hospital system was down for six hours, hospital IT personnel submitted a work order to Microsoft but withdrew it before the company could engage. That week, officials throughout the university were first notified of the attack.
Microsoft was brought in and the cyber-security software CrowdStrike was installed. On Feb. 23, Crowdstrike indicated that there were 700,000 instances of malware on the hospital’s domain. On March 8, the hackers were evicted in a three-hour reboot meant to cutoff access to university systems.
Places to improve
Much of the audit is composed of observations of ongoing issues and recommendations for IT professionals to remediate them. Since 2013, the university’s audit office has done 17 reviews of the university’s healthcare system “where IT vulnerabilities were observed.”
One such issue was the number of unnecessary administrative accounts. These accounts have wide power to install software, add new accounts and “amend the way systems operate.” The number of such accounts should be limited “solely to those whose job it is to maintain the system.” Auditors previously found this “was not the case” and recommended that many additional accounts be shut down.
Those accounts were used to spread the attack as the “attackers’ exploitation of compromised domain admin accounts enabled them to move far beyond the initial compromised server.”
Additionally, the audit found that several old accounts had not been deactivated and that there wasn’t an official policy related to deactivating them. Many computers within the hospital were also running outdated operating systems.
Further, the audit found issue with the way the university’s and hospital’s IT personnel were organized. The hospital and university have separate management structures which helps them meet their own goals but makes it hard to put up a unified response in a crisis. Prior to the attack, UK lacked a university-wide incident response plan.
“The lack of an enterprise-wide incident response plan is exacerbated by inefficient – and often divergent – operational communications which delay critical response decisions – a factor that contributed to the severity of this security incident,” the audit stated.
The audit office set up action plans for the university’s IT services to fulfill by certain dates over the next two years. Some remediation efforts are already underway.
The university was lucky the results of the attack were not worse, the audit stated and highlighted an NBC news report on a cyberattack on Universal Health Services last year, where a major hospital chain’s files were taken over by hackers who demanded a ransom.
“In this instance, the University of Kentucky was indeed fortunate. This time.”
This story was originally published March 26, 2021 at 11:50 AM.