Ransomware attacks against healthcare facilities are becoming more frequent and severe as the pandemic and workforce shortages stress hospital capabilities. That makes cyberattacks pose potential life-threatening consequences, experts say.
On Aug. 4, Indianapolis-based Eskenazi Health experienced a ransomware attack, halting access to electronic medical records and requiring ambulances to bypass the city’s safety net hospital.
Now, nearly two weeks later, the hospital is still recovering. But electronic medical records are currently back online, according to a hospital spokesperson.
The hospital has not released information on the demands of the hackers or how the virtual attack took place.
An Eskenazi nurse who spoke to Side Effects on the condition of anonymity said she and many of the newer nurses were in unfamiliar territory following the attack without access to electronic medical records. This meant a loss of one of the checks and balances that normally go into patient care.
“I'm already an anxious kind of type-A in control person,” she said. “And for us to have just lost all ability to kind of keep all my ducks in a row, had me on edge.”
The nurse said more than anything the attack slowed patient care -- like when a patient couldn’t recall the dosages of her medication from home, and it couldn’t be easily checked on the computer.
She said that it’s given her a new appreciation for the required cybersecurity training.
“When I'm doing the education, I roll my eyes and think it's silly and overkill,” she said. “But now that we've experienced it, of course, I get it, and will definitely take it more seriously.”
The ‘it won’t happen to me’ attitude is dangerous, said John Riggi, senior advisor for cybersecurity and risk for the American Hospital Association. Healthcare facilities have become a specific target for foreign criminals. The FBI reported a 37 percent annual increase in reported ransomware cases from 2018 to 2019.
“They're being attacked, because [hackers] know that public health and safety depends upon the availability of the hospital,” Riggi said. “And therefore creates an exigency and urgency for the hospitals to remediate the situation.”
In Indiana, these attacks can lead to significant delays in care, such as transfers of critically ill patients, for already overburdened or rural hospitals. In 2020, Germany reported the first-known death from a hospital cyber attack when a critically injured patient had to be taken to a hospital in another town.
“What I constantly say to my colleagues is that when a ransomware attack on a hospital crosses the line from an economic crime to a threat-to-life crime,” Riggi said.
While the specifics of cyberattacks can vary, a majority of attacks begin via a phishing email. This is when an employee clicks a link in their email that sends them to a site where they inadvertently give away log-in or password information. These emails can be sophisticated and highly targeted. Often they appear as if they’re coming from trusted sources like vendors, contractors or colleagues.
Even as hospitals prepare for these kinds of attacks, cybercriminals have responded. If hospitals can restore their records without paying a ransom, hackers may use extorted patient records as leverage, threatening to sell the confidential information on the dark web.
The FBI recommends hospitals don’t pay ransom to cybercriminals to avoid incentivizing future attacks. But, it’s a challenging choice that could require months of remediation and costs that outpace the original ransom.
However, Riggi says, an estimated 30% of healthcare institutions pay the ransom.
“It's almost an impossible decision, pay the ransom and restore operations, maybe there's still no guarantee... it'll work,” Riggi said. “Or not pay, and you might not have the ability to restore quickly or independently.”
It’s a decision Hancock Regional Hospital CEO Steve Long experienced firsthand.
In 2018, Long was at home, ready for bed when he received a call from another administrator who said something was wrong with the hospital’s computer network. They soon discovered hackers had encrypted the hospital’s files and requested a ransom, launching a four-day race to recover control of their network.
“Say if somebody walked into your house, found the place where you keep your valuables and put a padlock on the door, that you can't get through without their key,” Long said. “So it never left your house, and you don't have access to it.”
Ultimately, Long and his team decided to pay the $55,000 ransom to quickly bring the hospital to full functionality.
“We were like everybody else, that it was always going to happen to somebody else, not to us,” Long said.
Since the attack, the health system hired around-the-clock staff monitoring hospital systems, artificial intelligence scanning the network for anomalies and new hardware for computers.
“We spend about three times more than we did before,” Long said. “It is very well worth it.”
Leaders in Washington, D.C. are taking notice of the growing cyber attacks on hospitals, local governments and other institutions. The Biden administration recently elevated ransomware attacks to a similar priority as terrorist attacks.
Eskenazi Health officials have not said when they expect to return to full operations. The hospital remains open and has been off of diversion since Aug. 11.