At lunchtime on Oct. 28, Colleen Cargill was in the cancer center at the University of Vermont Medical Center, preparing patients for their chemotherapy infusions. A new patient will sometimes be teary and frightened, but the nurses try to make it welcoming, offering trail mix and a warm blanket, a seat with a view of a garden.
Then they work with extreme precision: checking platelet and white blood cell counts, measuring each dosage to a milligram per square foot of body area, before settling the person into a port and hooking them up to an IV.
That day, though, Cargill did a double take. When she tried to log in to her workstation, it booted her out. Then it happened again. She turned to the system of pneumatic tubes used to transport lab work. What she saw there was a red caution symbol, a circle with a cross. She walked to the backup computer. It was down, too.
“I wasn’t panicky,” she said, “and then I noticed my cordless phone didn’t work.”
That was, she said, the beginning of the worst 10 days of her career.
Cyberattacks on America’s health systems have become their own kind of pandemic over the past year as Russian cybercriminals have shut down clinical trials and treatment studies for the coronavirus vaccine and cut off hospitals’ access to patient records, demanding multimillion-dollar ransoms for their return.
Complicating the response, President Donald Trump last week fired Christopher Krebs, director of CISA, the cybersecurity agency responsible for defending critical systems, including hospitals and elections, against cyberattacks, after Krebs disputed Trump’s baseless claims of voter fraud.
The attacks have largely unfolded in private as hospitals scramble to restore their systems — or to quietly pay the ransom — without releasing information that could compromise an FBI investigation.
But they have had a devastating and long-lasting effect, particularly on cancer patients, said workers and patients from Vermont’s largest medical system. Its electronic medical record system was restored Sunday, nearly a month after the cyberattack.
In the interim, clinicians were forced to send away hundreds of cancer patients, said Olivia Thompson, a nurse at the cancer center.
The staff fell back on written notes and faxes, leafing through masses of paper to access vital information. They tried to reconstruct complex chemotherapy protocols from memory.
And while the hospital has taken pains to reassure patients that most care could proceed, some staff members worry that the full damage of the October attack is not well understood.
“To recover from something like this is going to take months and months and months,” Thompson said. “It feels like we are all alone, and no one understands how dire this is.”
Elise Legere, a nurse at the cancer center, said she could compare the past weeks to only one experience — working in a burn unit after the Boston Marathon bombing — and has often found herself wondering about the motivation behind the cyberattack.
“It’s like asking, what’s the point of putting a bomb in an elementary school? What is the point?” she said. “There is a lot of evil in the world. Whoever did orchestrate this attack knows a lot about how devastating it is.”
‘We Expect Panic’
The latest wave of attacks, which hit about a dozen U.S. hospitals, was believed to have been conducted by a particularly powerful group of Russian-speaking hackers that deployed ransomware via TrickBot, a vast network of infected computers used for cyberattacks, according to security researchers who are tracking the attacks.
The hackers typically work for profit. The FBI estimated that the cybercriminals, who use ransomware called “Ryuk,” took in more than $61 million in ransom over a period of 21 months in 2018 and 2019, a record.
The attacks slowed last spring, when cybercriminals agreed among themselves to avoid hacking hospitals amid the pandemic, security researchers said. But just before the presidential election, the groups resumed.
“In the past, they targeted organizations all over the world, but this time they were very specifically aiming for hospitals in the United States,” said Alex Holden, chief executive of Hold Security, a Milwaukee firm.
The FBI said it will not comment on the attacks, citing ongoing investigations.
Holden and other cybersecurity experts said that the targets and the timing — just weeks after the United States targeted TrickBot — suggest that one possible motivation could be retaliation.
In late September and October, fearing that cybercriminals could use ransomware to disrupt the election, the Pentagon’s Cyber Command started hacking TrickBot’s systems. Microsoft pursued the systems in federal court, successfully dismantling 94% of TrickBot’s servers.
The takedowns relegated TrickBot’s operators to “a wounded animal lashing out,” Holden said. His firm captured online messages sent among the group, including a list of 400 U.S. hospitals they planned to target, and informed law enforcement.
“We expect panic,” one hacker wrote, in Russian.
U.S. officials warned hospitals about a “credible threat” of attacks Oct. 23, and then an unusual cluster of attacks on hospitals took place. Several hospitals — including Vermont Medical Center and the St. Lawrence County health system in New York — have said they received no ransom note.
Others reported ransom demands “in eight figures, which is just not something that regional health care systems can do,” said Allan Liska, an analyst with Recorded Future, a cybersecurity firm. These unusual demands, combined with the coordination of the attacks, make “it seem that it was meant to be a disruptive attack” rather than a profit-seeking one, he said.
Holden said many of the health systems opted to negotiate with their extortionists, even as ransoms jump into the millions.
“A great number of victims are dealing with these attacks on their own,” he said.
The View From Inside
In Vermont, the damage radiated out through a sprawling network, hitting especially hard in the cancer center.
“My really good friends are ICU nurses, and they’re like, ‘No big deal — all we have to do is paper charting,’” said Cargill, the charge nurse.
But the cancer center was badly set back for weeks, able to serve only about 1 in 4 of its normal chemotherapy patients.
Cargill spent the rest of the day turning away patients, an experience she cannot relate without beginning to cry, nearly a month later.
“To look someone in the eye and tell them they cannot have their life-extending or lifesaving treatment, it was horrible and totally heart-wrenching,” she said.
The very first person she turned away, a young woman, burst into tears.
“She said, ‘I have to get chemo. I am the mother of two young kids,’” Cargill said. “She was so fearful, and the fear was tangible.”
In the days that followed, clinicians attempted to prioritize patients and recreate chemotherapy protocols from memory, gradually aided by backup chart information, said Legere, a nurse navigator in the unit.
“They were trying to remember everything they knew about a patient, but none of that is accurate,” she said. “Our brains are not designed to be electronic medical records. That’s not safe, and we all know it.”
Patients, she said, “feel very in the dark about when they will get treated,” and many cancer patients who live in rural areas do not have the resources to drive four hours to Boston for treatment.
“Vermont feels intentional. It feels scouted in the sense that it would cause a ton of panic,” she said. “The federal and statewide response is where I’m feeling very deserted. Maybe there’s stuff I don’t see.”
Lawmakers have also accused the Trump administration of marring the federal response.
In an email to The New York Times, Sen. Gary Peters, D-Mich., a member of the Homeland Security Committee, called the president’s firing of Krebs unacceptable, adding that it caused instability at his agency as it tried to mitigate the hospital attacks amid a surging pandemic.
Administrators at the University of Vermont Health Network acknowledge that restoring services proved far more challenging than they expected.
“If you look at what some other hospitals have gone through, it was days, not weeks,” said Al Gobeille, the system’s executive vice president for operations. “We thought that was what this would be. And we were wrong.”
He said a large number of professionals on information technology — 300 hospital employees, plus 10 members of the National Guard — were deployed to rebuild and clean 1,300 servers and 5,000 laptops and desktop computers. A team of seven FBI investigators was on site for two days after the shutdown, he said, but has had little to no contact with administrators since then.
With the restoration of the electronic patient record system, he said, the hospital’s systems are 75% to 80% recovered.
The motivation behind the attack remains unclear. At a news conference last month, Dr. Stephen Leffler, president of the medical center, said he had received no request for ransom. Since then, though, at the request of the FBI, administrators have carefully avoided discussing the matter of ransom or confirming Leffler’s statement.
Leffler, he said, “was saying what he knew at the time,” Gobeille said.
“The FBI has asked us not to talk about that part of the investigation, and I haven’t said either way,” he said. “I’m a pretty transparent person, so it’s odd to say the FBI has asked me not to talk about it. It’s not who were are. But in this case, I understand why.”
Some patients have complained that they were left dangling, uncertain when their treatment would resume.
Sean McCaffrey, 37, who was scheduled to see a cardiologist on the afternoon of the cyberattack — he had been suffering from chest pains — said he had never been contacted to reschedule the appointment.
“It’s really troublesome because I have lost some faith in my local hospital,” he said. “I was told I’d get a call. It’s been three weeks, and I have no idea what to do.”
Others say they are still waiting to gain access to critical scans. Two days before the shutdown, Damian Mooney, 47, had received a radiologist’s notes on an MRI of his shoulder, which suggested that an aggressive bone cancer may have returned.
The scans have been unavailable since the cyberattack, so no doctor has been able to say whether the radiologist was correct, said his wife, Kat Mooney.
“For 26 days, we’ve been sitting here going, ‘We don’t know whether this recurred or not,’” she said.
It will be difficult, both for patients and staff members, to regain their sense of security, said Jennifer Long, an outpatient nurse at the medical center.
She and her colleagues, she said, sometimes wonder aloud what allowed the hackers to get into the system: “Is it the kid down the street? Is it someone in another country? Was it an email I sent? Was it the last page I opened?”
“You’re left with that feeling — it’s kind of sickening, it’s very impersonal — knowing that this was a deliberate attack, without any regard for the consequences and the potential for harm,” she said. “It really stings. It’s really hard to sit with it.”