The way cybercrime can kill

Your life in their hands...
11 December 2023

Outside a Topeka hospital that had to close its emergency room after a cyberattack on November 23rd. Via AP.

• Hospital cyberattack takes cyber-danger into the real world.
• Hospitals reduced to handwritten records, forced to cancel operations.
• Healthcare is practically the perfect target for cybercriminals.

A hospital cyberattack on Thanksgiving Day left emergency rooms in multiple hospitals across four US states shut down. Cybercriminals attacked Ardent Health Services, which owns and operates 30 hospitals and more than 200 care sites with upwards of 1,400 aligned providers in Oklahoma, Texas, New Jersey, New Mexico, Idaho and Kansas.

Emergency rooms are reopening, but it took until the Tuesday afternoon after the attack (almost five days!) for “more than half” of Ardent’s emergency rooms to return to accepting patients by ambulance or fully lift divert status.

Typically, divert status is used to redirect people needing emergency care to other nearby facilities if a hospital is dealing with, say, Covid-19 surges, natural disasters, or large trauma events.

The status will increasingly be needed for fallout from cyberattacks, unless the threat presented by cybercriminals to the healthcare sector is taken seriously and addressed througho comprehensive cybersecurity infrastructure.

Valuable data, disjointed systems, and a skills shortage make for a huge attack surface. Avid TechHQ readers will recognize that statement from this article that’s almost a year old – and laid out why an incident like this one was so likely!

Digital transformation is a process that every industry has undergone – some more recently than others. In the case of healthcare organizations, the process may well have been rushed due to Covid. Regardless of which, healthcare facilities tend to be fairly fractured legacy institutions, rather the modern, tech-linked organizations we expect them to be.

That is to say, we’ve all become used to the online version of healthcare, but what we don’t see is the messy business sometimes happening behind the scenes. Moving away from a paper system should streamline processes, but many organizations are still running legacy equipment and software and security alongside some of the new modern infrastructure.

Protecting a system like that is incredibly hard – and without trained cybersecurity professionals onboard, virtually impossible.

Poor cybersecurity is especially damaging to healthcare facilities, which are huge targets: the amount of valuable information they hold, along with the potential disruption to care, makes the potential for ransom payments huge.

Healthcare is the most vulnerable part of critical national infrastructure, and the holidays are the most vulnerable time: guards are down, eyes are off the ball and cybercriminals are ready to attack.

Hospital cyberattacks increasingly common

The FBI’s Internet Crime Complaint Sector (IC3) issued a report in March that showed the Bureau had received 870 reports of ransomware attacks aimed at critical infrastructure; 210 of those were from the healthcare sector.

The rate of attacks in 2023 is almost double the rate reported in 2021, when 34% of healthcare organizations reported being hit by ransomware.

Hospital cyberattack leaves patients vulnerable.

When will hospital cybersecurity be good enough?

“The attack against Ardent Health is both egregious and quickly becoming the norm,” said analyst Allan Liska at the cybersecurity firm Recorded Future. Even when healthcare providers don’t pay, ransomware groups can sell patient data, Liska added.

The hospital cyberattack against Ardent saw computer networks locked and a ransom payment demanded. According to an update on Ardent’s website, from Monday, December 4th, the company “proactively took its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet and clinical programs.”

As of the 6th, access to Epic and other core clinical and business systems was restored.

Epic is a common healthcare program that stores patient medical information. A paper system is slower and worse in almost every way – but it is much harder for criminals to target.

In fact, a nurse working at one of the affected New Jersey hospitals told CNN that staff rushed “to print out as much patient information as we could” as it became clear that the hospital was shutting down networks because of the hacking incident.

“We are doing everything on paper,” said the nurse, who spoke on condition of anonymity because they were not authorized to speak to reporters, CNN reported.

This attack demonstrates how cyberattacks targeting hospital operators have far-reaching impacts on hospitals across the country.

No deaths have happened yet as a result of a hospital cyberattack, but this “is partly due to luck,” said Brett Callow, analyst at cybersecurity firm Emsisoft.

The disruption to operations was felt by patients in multiple states: some were unable to refill prescriptions, make appointments online or had procedures rescheduled or postponed.

Annie Wolf told NBC News that she had scheduled open heart surgery with an Ardent-owned hospital in Tulsa, Oklahoma, on Monday 27th November. The hospital called her the Saturday before to tell her it wouldn’t be able to perform the surgery, as staff members couldn’t access medical records.

This latest incident is a reminder of the vulnerability of hospital cybersecurity and should instigate the digital transformation in the healthcare sector to be completed, ensuring no further hospital cyberattacks are possible.