Cyberattacks on healthcare are on the rise.Inside the battle for recovery in a hospital


It was October 2021, and staff at Johnson Memorial Health were finally hoping to take a breather. They were just emerging from a weeks-long spike in COVID hospitalizations and deaths fueled by the Delta variant.

But on Friday, October 1, at 3:00 am, an emergency call rang on the hospital’s CEO’s phone.

“I remember it like it was yesterday. ‘My nursing director said, ‘Looks like you’ve been hacked.'”

The Johnson Memorial’s information technology team discovered that a ransomware group had infiltrated the healthcare system’s network. The hacker left a ransom note on every server and demanded the hospital pay him $3 million in Bitcoin within days.

The memo was signed by Hive, a prominent ransomware group that has targeted more than 1,500 hospitals, school districts and financial firms in more than 80 countries, according to the US Department of Justice.

The Johnson Memorial is just one victim in a growing wave of cyberattacks on hospitals across the country. According to one study, cyberattacks against US medical facilities more than doubled between 2016 and 2022.

The subsequent focus is often on the risk of leaking sensitive patient information, but these attacks cost hospitals millions of dollars in the months that followed, disrupting patient care and killing lives. may also be at risk.

In Indiana alone, 27 hospitals were hit by cyberattacks between 2010 and 2023, according to data provided by the Indiana Hospital Association.

After their own attacks, staff at the Johnson Memorial suddenly had to return to the low-tech way of caring for patients. They relied on pen and paper for medical records and notes, and sent runners between departments to take orders and relay test results. The effects were felt for several weeks.

The Johnson Memorial had to go back to using pen and paper for medical records for a full month after a cyberattack in October 2021.

The Johnson Memorial had to go back to using pen and paper for medical records for a full month after a cyberattack in October 2021.

“I ask a lot of CEOs across the country, ‘What’s keeping you from sleeping at night?’ [they’re] When talking about labor and economic pressures, they say ‘the potential for cyberattacks’. ”

said John Rigi, National Advisor for Cybersecurity and Risk at the American Hospital Association.

Hacker Ransom: Pay or Don’t Pay

Hours after that 3 a.m. call, Dunkle was on the phone with cybersecurity experts and the FBI.

The question that has stuck with him is whether his hospital should pay the $3 million ransom to minimize disruption to operations and patient care.

“[FBI agents] We want you to know that you can be fined if you pay a ransom to what is considered a terrorist organization.

Dunkle refers to fines that may be imposed by the US Treasury Department’s Office of Foreign Assets Control if an organization facilitates or pays cybercriminals.

Dunkle was also concerned about potential lawsuits, as he claimed hackers stole sensitive patient information. Other health data breaches have led to class-action lawsuits from patients.

The Office of Civil Rights can also impose financial penalties on hospitals for breaches of HIPAA-protected patient data.

“It was information overload,” recalls Dunkle. All the while, his hospital was overwhelmed with patients in need of care and his employees were at a loss as to what to do.

Hospitals go dark digitally

In the end, the hospital did not pay the ransom. The leader decided to disconnect after the attack, evaluate it, and then rebuild it. This meant taking some critical systems offline. This has upended normal operations in various departments.

Emergency departments had to divert ambulances carrying sick patients to other hospitals because staff could not access the patient’s medical records.

In maternity wards, newborns usually wear safety bracelets on their little legs to prevent unauthorized adults from moving them or leaving the maternity ward. When that tracking system went dark, staff had to physically guard the unit door.

A ground-floor lab at Johnson Memorial Hospital uses a computerized system to perform nearly 1,000 tests a day. After the cyberattack, an examination that would normally take him 30 minutes took him over two hours, and the hospital allocated staff as follows: "runner" I went back and forth between the lab and various departments and manually submitted handwritten results.

A ground-floor lab at Johnson Memorial Hospital uses a computerized system to perform nearly 1,000 tests a day. After the cyberattack, which would normally take his 30-minute lab test to take him over two hours, the hospital assigned staff members as “runners” to scurry between the lab and various departments to collect handwritten results. Submitted manually.

During one birth, a nurse had difficulty communicating with an Afghan refugee who had come from a nearby garrison to give birth. The remote translation service they normally use has been rendered inaccessible due to a cyberattack.

“Stressed nurses used Google Translate to communicate with women in labour,” says Stacey Hummel, manager of obstetrics. “It was crazy”

Hummel said it was the most difficult challenge he had ever faced in his 24 years of experience, even worse than COVID. As cyberattacks unfolded, her nursing team prayed, “Don’t turn off the fetal monitor.” And they did.

Clinical staff were suddenly unable to receive digital notifications outside the delivery room. This is a reminder to help monitor her vital signs of a woman in labor and her fetus. This meant that important data points like dangerously low heart rate and high blood pressure could be overlooked.

“When that happened, we had to have nurses in every room,” says Hummel. “So it was a staffing nightmare because you have to stand there and look at the monitor.”

At the time, there was a nationwide shortage of nurses and the labor costs were high, making it difficult to increase the number of staff.

ER nurse Donna Thomas and her colleagues devised a makeshift system involving whiteboards and whiteboard markers to track patient care in the months following the Johnson Memorial cyberattack . Whiteboards and other tools used during the cyberattack are still kept in the backroom in case another attack occurs.

ER nurse Donna Thomas and her colleagues devised a makeshift system involving whiteboards and whiteboard markers to track patient care in the months following the Johnson Memorial cyberattack . Whiteboards and other tools used during the cyberattack are still kept in the backroom in case another attack occurs.

Hospital billing departments were also crippled. For months, they have been unable to timely claim their insurance plan payments.

A report from IBM estimates that cyberattacks on hospitals cost an average of $10 million per incident, excluding ransom payments. This is the highest amount of any industry.

For this reason, hospital leaders say cyberattacks pose a significant threat to the viability of hospitals across the country, especially those that are struggling financially and in smaller rural areas.

Inadequate cyber insurance

According to Riggi of the American Hospital Association, cyber insurance has become an important part of hospital budgets. However, some financial institutions are aware that insurance coverage is not all-inclusive, and they have to pay out millions of dollars in damages even after being attacked.

At the same time, insurance premiums can skyrocket after a cyberattack.

“Governments can certainly help in the area of ​​cyber insurance. To help with that emergency financial aid when people were unable to get insurance against terrorist attacks, like after 9/11, perhaps A national cyber insurance fund could be established,” he said.

The federal government is taking steps to address the threat of cyberattacks on critical infrastructure. This includes training and awareness campaigns by federal cybersecurity and infrastructure security agencies. The FBI has taken down several ransomware groups, including “Hive,” the group behind the attack on the Johnson Memorial.

Today, the Johnson Memorial is operational again. But it took him nearly six months to resume nearly normal operations, according to Rick Kester, the hospital’s chief operating officer.

“We … worked 12, 14 hours every day in October,” says Kester.

Hospitals are still dealing with some ongoing costs. Its revenue cycle has yet to fully recover, and a cyberattack insurance claim filed nearly two years ago has yet to be paid, he said. Annual premiums for hospitals have increased by 60% since the incident.

“This is an incredible increase in costs over the last three or four years, and it can be even more frustrating when claims aren’t paid,” he says. “We are investing so much in cybersecurity right now that we don’t know how much a small hospital can afford. [to operate] longer. ”

This story comes from a health reporting partnership with NPR. side effects public media and KFF Health News.

Copyright 2023 Side Effects Public Media. See Side Effects Public Media for more information.



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *