As the second year of the pandemic was nearing an end, employees at Johnson Memorial Health hoped they could catch their breath after dealing with a weeks-long tsunami of COVID-19 hospitalizations and deaths. But on a Friday at 3 a.m., the hospital CEO’s phone rang with an urgent call from the chief of nursing.
“My chief of nursing said, ‘Well, it looks like we got hacked,’” said Dr. David Dunkle, chief executive officer of the health system based in Franklin, Ind.
The information technology team figured out that a ransomware group infiltrated the health system’s networks. The hackers left a ransom note on every server demanding the hospital pay $3 million in Bitcoin, a digital currency. The note was signed by the “Hive,” a prominent ransomware group that has targeted more than 1,500 hospitals, school districts and financial firms in over 80 countries, according to the U.S. Department of Justice.
Suddenly, a health system working as a well-oiled machine became an institution relying on primitive, less-efficient methods of delivering care. Johnson Memorial’s emergency department had to divert ambulances with sick patients to other hospitals because the staff were unable to access patient medical records. And the after-effects of the attack weren’t limited to that day in October 2021.
“Our lives were absolute chaos and mayhem for months on end,” said Dona Thomas, an ER nurse at Johnson Memorial. “And we are still reeling from the effects of that.”
Johnson Memorial was just one victim in a rising wave of cyberattacks on U.S. hospitals. One study found that cyberattacks on the nation’s health care facilities more than doubled from 2016 to 2021 — from 43 attacks to 91.
In the aftermath of a breach, the focus frequently falls on the risk of confidential patient information being exposed, but these attacks can also leave hospitals hemorrhaging millions of dollars in the months that follow, and also cause disruptions to patient care, potentially putting lives at stake.
“Hospital CEOs now consider cyber risk as one of their top enterprise risks,” said John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association. “You ask many CEOs across the country, ‘What keeps you up at night?’ Of course, [they’re] talking about workforce, financial pressures, and they say, ‘The possibility of a cyberattack.’”
Across the nation, Riggi said nearly 250 hospitals were impacted by cyberattacks last year — far more than in prior years. In Indiana, where Johnson Memorial Health is located, 27 hospitals were hit by cyberattacks between 2010 and 2023, according to data provided by the Indiana Hospital Association.
To pay or not to pay the ransom
A few hours after Dunkle received that 3 a.m. call, he was on the phone with cybersecurity experts and the FBI.
The burning question on his mind: Should his hospital pay the $3 million ransom to minimize disruptions to its operations and patient care?
“[FBI agents] want you to know that if you pay a ransom to what is deemed a terrorist organization, you can open yourself up down the line to a fine,” he said.
Dunkle is referring to potential fines levied by the U.S. Department of the Treasury’s Office of Foreign Assets Control if an organization facilitates or makes a payment to cybercriminals. In a 2021 advisory, the agency said that “companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations.”
Dunkle also worried about the possibility of lawsuits. In addition to bringing some of the hospital’s critical systems to a screeching halt, the hackers claimed that they stole sensitive information they’d release to the “dark web” if Johnson Memorial did not pay up. An attack on the health system CommonSpirit led to a data breach, and now the health system is facing class-action lawsuits from patients.
The Office for Civil Rights can also impose financial penalties against hospitals if HIPAA-protected patient data is divulged.
“It was information overload,” Dunkle said. All the while, he had a hospital full of patients needing care and employees wondering how he would respond.
Just like a bank robbery with a hostage situation, hospitals need expert negotiators to help them handle a ransomware attack, said David Wong, a director at Google Cloud’s cybersecurity consulting firm Mandiant.
Wong — who hasn’t worked with Johnson Memorial — said cyber criminals’ techniques have changed over the years. They used to rely largely on “multifaceted extortion” schemes that encrypt organizations’ data, steal information and shut systems down, Wong said. But now, they mostly rely on threats to release stolen data to compel hospitals and other organizations to pay up.
“Oftentimes, we're in those situations where we're kind of stalling to make sure that [the hackers] don't do anything worse while we try to clean up the environment and take them out,” he said.
Wong said the general advice is to neutralize the threat and assess if the hackers have done as much damage as they claim.
Going Dark
Johnson Memorial decided the best course of action was to take several of its critical systems offline after the attack, which upended normal operations in various departments.
At the obstetrics unit, newborns wear security bracelets around their tiny legs that are detected by a secure gate system that won’t open unless a person is authorized to move the infant. With this system down, the hospital had to place staff at doors to physically guard them.
In one labor and delivery room, nurses struggled to communicate with an Afghani refugee who came from the nearby military post to give birth. The remote translation service they typically rely on was down as a result of the cyberattack.
“Stressed-out nurses were using Google Translate to communicate with this woman in labor,” said Stacey Hummel, the maternity department manager. “It was crazy.”
Hummel said this was the hardest thing she’s had to go through in her 24 years of experience –– even worse than COVID. During the cyberattack, she said her nursing team was praying, “Please don’t let the fetal monitors go down." And then they did.
The staff suddenly could no longer receive notifications to monitor the vitals of laboring women and their fetuses. That meant critical data points like dangerously low heart rate and high blood pressure could go unnoticed.
“Once that happened, we had to station a nurse in every single room,” Hummel said. “So staffing was a nightmare because you had to stand there and watch the monitor.”
Beefing up staffing at that time was no small feat, as nurses were in short supply nationwide and labor costs were high.
The hospital’s billing department was also crippled. For months they were unable to bill for services to get paid by insurance in a timely fashion.
A report by IBM estimates that attacks on hospitals cost an average of $10 million per incident, excluding any ransom payment –– the highest among all industries. Hospital leaders say for this reason, cyberattacks pose an existential threat to the viability of hospitals across the country, especially those that are already operating in the red and smaller hospitals in rural areas.
One such hospital, St. Margaret’s Health in Peru, Illinois, indefinitely shut down all acute services in January. Its ICU, ER and obstetrics unit are currently closed, and surgeries remain on hold. In a statement on social media, the hospital said increased costs and lost revenues after the pandemic are to blame, as well as a cyberattack the hospital suffered a few months prior.
Cyber insurance challenges
The risk of cyberattacks on hospitals is no longer theoretical, said Riggi of the American Hospital Association.
“Imagine if these were terrorist attacks, where bombs were exploding, affecting U.S. critical infrastructure. There would be a very, very significant government response,” he said.
Cyber insurance has become a critical part of hospital budgets, Riggi said, but some are finding the insurance coverage to be lacking, as they remain on the hook for millions of dollars.
At the same time, insurance premiums can soar after an attack.
“The government certainly could help in the space of cyber insurance, perhaps setting up a national cyber insurance fund, just like post-9/11, when folks could not obtain insurance against terrorist attacks, to help with that emergency financial aid,” Riggi said.
The federal government has taken steps to address the threat of cyberattacks against critical infrastructure, including training and awareness campaigns by the federal Cybersecurity and Infrastructure Security Agency. The FBI has taken down several ransomware groups, including the “Hive,” that was behind the attack on Johnson Memorial.
Today, Johnson Memorial is up and running again. But it took nearly six months to get back to normal operations, said the hospital’s Chief Operating Officer Rick Kester.
“We worked… every single day in October, every single day. And some days, 12, 14 hours,” he said.
The hospital is still dealing with ongoing costs. Its revenue cycle has not picked up yet and its insurance claim from nearly two years ago still hasn’t been paid, Dunkle said. The hospital’s insurance premium is up 60 percent since the incident.
“That is an incredible increase in cost over the last three or four years and…when your claims aren't paid, it can be even more frustrating,” he said. “We are investing so much in cybersecurity right now that I don't know how small hospitals will be able to afford [to operate] much longer.”
This story comes from Side Effects Public Media — a health reporting collaboration based at WFYI in Indianapolis. Contact Farah at fyousry@wfyi.org. Follow on Twitter: @Farah_Yousrym