Farrah Usley/WFYI
It was October 2021, and staff at Johnson Memorial Health were finally hoping to take a breather. They were just emerging from a weeks-long spike in COVID hospitalizations and deaths fueled by the Delta variant.
But on Friday, October 1, at 3:00 am, an emergency call rang on the hospital’s CEO’s phone.
“I remember it like it was yesterday. ‘My nursing director said, ‘Looks like you’ve been hacked.'”
The Johnson Memorial’s information technology team discovered that a ransomware group had infiltrated the healthcare system’s network. The hacker left a ransom note on every server and demanded the hospital pay him $3 million in Bitcoin within days.
The memo was signed by Hive, a prominent ransomware group that has targeted more than 1,500 hospitals, school districts and financial firms in more than 80 countries, according to the US Department of Justice.
The Johnson Memorial is just one victim in a growing wave of cyberattacks on hospitals across the country. According to one study, cyberattacks against US medical facilities more than doubled between 2016 and 2022.
The subsequent focus is often on the risk of leaking sensitive patient information, but these attacks cost hospitals millions of dollars in the months that followed, disrupting patient care and killing lives. may also be at risk.
In Indiana alone, 27 hospitals were hit by cyberattacks between 2010 and 2023, according to data provided by the Indiana Hospital Association.
After their own attacks, staff at the Johnson Memorial suddenly had to return to the low-tech way of caring for patients. They relied on pen and paper for medical records and notes, and sent runners between departments to take orders and relay test results. The effects were felt for several weeks.
Farrah Usley/WFYI
“I ask a lot of CEOs across the country, ‘What’s keeping you from sleeping at night?’ [they’re] When talking about labor and economic pressures, they say ‘the potential for cyberattacks’. ”
said John Rigi, National Advisor for Cybersecurity and Risk at the American Hospital Association.
Hacker Ransom: Pay or Don’t Pay
Hours after that 3 a.m. call, Dunkle was on the phone with cybersecurity experts and the FBI.
The question that has stuck with him is whether his hospital should pay the $3 million ransom to minimize disruption to operations and patient care.
“[FBI agents] We want you to know that you can be fined if you pay a ransom to what is considered a terrorist organization.
Dunkle refers to fines that may be imposed by the US Treasury Department’s Office of Foreign Assets Control if an organization facilitates or pays cybercriminals.
Dunkle was also concerned about potential lawsuits, as he claimed hackers stole sensitive patient information. Other health data breaches have led to class-action lawsuits from patients.
The Office of Civil Rights can also impose financial penalties on hospitals for breaches of HIPAA-protected patient data.
“It was information overload,” recalls Dunkle. All the while, his hospital was overwhelmed with patients in need of care and his employees were at a loss as to what to do.
Hospitals go dark digitally
In the end, the hospital did not pay the ransom. The leader decided to disconnect after the attack, evaluate it, and then rebuild it. This meant taking some critical systems offline. This has upended normal operations in various departments.
Emergency departments had to divert ambulances carrying sick patients to other hospitals because staff could not access the patient’s medical records.
In maternity wards, newborns usually wear safety bracelets on their little legs to prevent unauthorized adults from moving them or leaving the maternity ward. When that tracking system went dark, staff had to physically guard the unit door.
Farrah Usley/WFYI
During one birth, a nurse had difficulty communicating with an Afghan refugee who had come from a nearby garrison to give birth. The remote translation service they normally use has been rendered inaccessible due to a cyberattack.
“Stressed nurses used Google Translate to communicate with women in labour,” says Stacey Hummel, manager of obstetrics. “It was crazy”
Hummel said it was the most difficult challenge he had ever faced in his 24 years of experience, even worse than COVID. As cyberattacks unfolded, her nursing team prayed, “Don’t turn off the fetal monitor.” And they did.
Clinical staff were suddenly unable to receive digital notifications outside the delivery room. This is a reminder to help monitor her vital signs of a woman in labor and her fetus. This meant that important data points like dangerously low heart rate and high blood pressure could be overlooked.
“When that happened, we had to have nurses in every room,” says Hummel. “So it was a staffing nightmare because you have to stand there and look at the monitor.”
At the time, there was a nationwide shortage of nurses and the labor costs were high, making it difficult to increase the number of staff.
Farrah Usley/WFYI
Hospital billing departments were also crippled. For months, they have been unable to timely claim their insurance plan payments.
A report from IBM estimates that cyberattacks on hospitals cost an average of $10 million per incident, excluding ransom payments. This is the highest amount of any industry.
For this reason, hospital leaders say cyberattacks pose a significant threat to the viability of hospitals across the country, especially those that are struggling financially and in smaller rural areas.
Inadequate cyber insurance
According to Riggi of the American Hospital Association, cyber insurance has become an important part of hospital budgets. However, some financial institutions are aware that insurance coverage is not all-inclusive, and they have to pay out millions of dollars in damages even after being attacked.
At the same time, insurance premiums can skyrocket after a cyberattack.
“Governments can certainly help in the area of cyber insurance. A national cyber insurance fund could be established,” said Riggi. Say.
The federal government is taking steps to address the threat of cyberattacks on critical infrastructure. This includes training and awareness campaigns by federal cybersecurity and infrastructure security agencies. The FBI has taken down several ransomware groups, including “Hive,” the group behind the attack on the Johnson Memorial.
Today, the Johnson Memorial is operational again. But it took him nearly six months to resume nearly normal operations, according to Rick Kester, the hospital’s chief operating officer.
“We … worked 12, 14 hours every day in October,” says Kester.
Hospitals are still dealing with some ongoing costs. Its revenue cycle has yet to fully recover, and a cyberattack insurance claim filed nearly two years ago has yet to be paid, he said. Annual premiums for hospitals have increased by 60% since the incident.
“This is an incredible increase in costs over the last three or four years, and it can be even more frustrating when claims aren’t paid,” he says. “We are investing so much in cybersecurity right now that we don’t know how much a small hospital can afford. [to operate] longer. “
This story comes from a health reporting partnership with NPR. side effects public media and KFF Health News.