By a Biometrica staffer
Nearly half of all hospital executives said their systems were either forced or proactively shutdown in the last six months due to ransomware attacks, a study by IPSOS, sponsored by Philips and CyberMDX, published last week found. Of the survey’s 130 respondents with an average of 15 years of experience in their respective fields, large hospitals reported an average shutdown time of 6.2 hours at a cost of $21,500 per hour. Mid-size hospitals, which have borne the brunt of these cyberattacks, averaged nearly 10 hours of shutdown time at more than double the cost or $45,700 per hour.
After pipelines, other critical infrastructure companies, and education systems, there’s been an increasing trend of cybercriminals using ransomware to launch attacks against healthcare systems. Just last month, Biometrica wrote about this trend, which still appears to be going strong. On Tuesday, Aug. 17 Ars Technica reported that dozens of hospitals and clinics in West Virginia and Ohio are canceling surgeries and diverting ambulances after a ransomware attack knocked out staff access to IT systems across virtually all operations.
The facilities are owned by Memorial Health System, which represents 64 clinics and hospitals. Early on Sunday, Aug. 14, the chain experienced a ransomware attack that hampered three of its hospitals’ activities and disrupted their ability to operate normally. Those hospitals are Marietta Memorial, Selby General, and Sistersville General in the Marietta-Parkersburg metropolitan area in West Virginia and Ohio, the Ars Technica post adds.
The chain is expecting a week long IT system outage from the attack, Becker’s Hospital Review reported. A spokesperson from Memorial Health System told Becker’s that it is negotiating a solution with hackers, in concert with the Federal Bureau of Investigation (FBI). There has been no evidence so far that any patient or employee data has been leaked or released, the report added.
Only on Wednesday, Aug. 18, Georgia-based healthcare system St. Joseph’s/Candler said it had restored its IT network, two months after a ransomware attack. St. Joseph’s/Candler had shut down its IT systems and switched to backup operation methods, including paper documentation, after discovering “suspicious network activity” on June 17. Last week, the system announced that it found the hacker gained access to its network between Dec. 18, 2020, and June 17, 2021. In other words, the hacker had access to the health system’s network six months before the strike happened, or was reported.
While St. Joseph’s/Candler did not cancel any surgeries or procedures because of the attack, the incident temporarily disrupted telephone communications and hit computer systems, making certain files inaccessible. Cancer patients also were asked to verify their appointments for a period of time, Becker’s Hospital Review reported.
There have been several other instances in the recent past of hospitals and healthcare systems becoming victims of ransomware attacks. In many of these cases, the repercussions weren’t limited to the virtual world, nor were they instances wherein it was only the company involved that had to face the fallout.
One ransomware attack on a national chain nearly brought Las Vegas hospitals to their knees, another in Oregon abruptly shut down alerts tied to patient monitors tracking vital signs, while in New York, one county’s only trauma center briefly closed to ambulances, the Wall Street Journal reported in June.
In June, the Department of Health & Human Services (HHS) said in a report that, of a total of 82 ransomware incidents so far this year worldwide, 60% of them impacted the United States health sector.
Worryingly, despite continuing attacks, cybersecurity investment is not a high priority for healthcare organizations, the IPSOS-Philips-CyberMDX study published last week found. More than 60% of hospital IT teams have “other” spending priorities, and less than 11% say cybersecurity is a high priority spend, the study added. There’s also a talent shortage in the cybersecurity space and an over-100-day lag when it comes to filling jobs.
To be sure, the healthcare system is not alone in facing a sharp spike in ransomware attacks and data breaches. Just yesterday, i.e., Aug. 18, T-Mobile confirmed that the personal information of millions of current and prospective customers was compromised in a recent “highly sophisticated cyberattack,” ABC News reported. On the same day, a report by the Office of the Inspector General found that U.S. Census Bureau computer servers were exploited last year during a cybersecurity attack.
But given the nature of the business they’re in, cyberattacks in the healthcare industry perhaps require more urgent resolutions. “With new threat vectors emerging every day, healthcare organizations are facing an unprecedented level of challenges to their security. Hospitals have a lot at stake — from revenue loss, to reputational damage, and most importantly patient safety,” Azi Cohen, CEO of CyberMDX, said last week in a statement.