Deadly disruption: Cyberattacks on hospitals delay care, cause fiscal pain

As hospitals across the country cope with the Delta virus variant, there is another type of virus threating healthcare institutions — a computer virus that heralds an increasing number of cyberattacks and ransomware demands.

On Sunday, a ransomware attack on the Memorial Health System’s hospitals in West Virginia and Ohio caused doctors to postpone elective surgeries and divert patients to other facilities.

Fitch Ratings says these attacks are a growing economic threat to non-profit hospitals as their normal operations become disrupted.

During the COVID-19 pandemic, Fitch said, cyber criminals took advantage of the crisis in the healthcare sector at a time when it was facing tremendous demands. Since the pandemic began in March 2020, there have been over 37 million coronavirus cases and 623,000 deaths reported, with cases on the rise because of the more infectious new Delta variant.

According to the U.S. Department of Health and Human Services, there were 80 incidents of cyber attacks and ransomware demands in 2020 with 560 healthcare organizations impacted.

This resulted in ambulances being rerouted, radiation treatments for cancer patients delayed, medical records becoming temporarily inaccessible and in some cases permanently lost, and hundreds of staff being furloughed, HHS said. One health network in Vermont had 5,000 systems disrupted and had to furlough 300 staff members at an estimated cost of $1.5 million a day.

“This is really tragic stuff,” Ramarcus Baylor, a senior consulting director with the Palo Alto Networks Unit 42 security consulting group, told The Bond Buyer. “Hospitals are ripe targets because ransomware gangs know that they’ll be under tremendous pressure to pay up — especially when they disrupt phone networks or access to electronic medical records that provide critical data on medical history, diagnostics results and imaging.”

HHS said that in at least 12 incidents, sensitive data was stolen and published online.

“Ever-increasing cyberattacks on the U.S. public healthcare sector will place material revenue and expense pressures on not-for-profit hospitals and health systems,” Fitch said in a July 22 report. “The healthcare sector has seen a historic increase in the number and severity of cyber assaults over the past 18 months. The sector is viewed as a target-rich environment due to the large amount of sensitive data that healthcare entities maintain for patient care and operations.”

One of the reasons for attacks are due to the concentration of personal data all stored in one place — and in a place that’s usually not as strongly guarded as a bank or credit reporting agency.

“Hospitals and other healthcare facilities are increasingly being targeted by ransomware, a type of malicious software, or malware, that prevents you from accessing your computer files, systems, or networks and demands you pay a ransom for their return,” Kenneth Mendelson, senior managing director at Guidepost Solutions, a global security, investigations and compliance firm, told The Bond Buyer.

“The primary reasons for this are that healthcare organizations tend to be ill-prepared to prevent or recover from ransomware attacks and that healthcare organizations tend to pay the ransom because lives are at risk if they do not. Ransomware payments are typically in the hundreds of thousands, or even in the millions of dollars,” he said.

Baylor of Palo Alto Networks leads teams that help hospitals recover from attacks that make it impossible for clinicians to access patient medical records, use telephone systems, check insurance coverage or handle other tasks that support patient care.

“Hospitals tend to have limited IT and cybersecurity teams, which means it may be harder for them to respond effectively when they’re compromised,” he said. “Delays in responding to an attack can compound its impact, making it tougher to restore systems, boosting recovery costs and potentially affecting patient care.”

According to Moody’s Investors Service, the risk from cyber attacks remains high for the sector.

“In particular, for-profit and not-for-profit hospitals will continue to be targets of ransomware attacks because of the vast amounts of sensitive data they maintain,” Moody’s said in a May 25 report.

“The growing interconnectedness of healthcare delivery and technology will continue to leave the sector vulnerable to breaches, as will its extensive use of third-party software vendors for clinical, billing and numerous other functions,” Moody’s said.

Moody’s said that while there is no way to fully prevent cyber breaches, “the expanding adoption of remote care, or telehealth, during the COVID-19 pandemic will yield additional vulnerabilities, as potentially unsecured devices will be used to access health system networks.”

Moody’s noted that many cyberattacks are not publicly disclosed, so that tracking the number and frequency of attacks is difficult. It cited research done by the IT security firm VMware Carbon Black that showed there were 239.4 million attempted attacks on the firm’s healthcare customers in 2020, an increase of almost 10,000% from 2019.

“The surge in ransomware attacks has forced hospitals to boost spending on security as they seek to block attacks to protect patient privacy and data security,” said Tapan Mehta, healthcare industry solutions leader at Palo Alto Networks. “This comes as hospitals continue to experience financial strain due to the lingering impact of the pandemic. They were forced to focus on managing the COVID crisis and cut back on profitable elective surgeries.”

He said the economic stress that these attacks cause should not be taken lightly.

“Over the longer term, the hospital sector will continue to experience a weakening payor mix, including greater reliance on lower-revenue self-pay and Medicaid clients,” Mehta said. “At the same time, hospital expenses have jumped, reflecting an increase in lower-margin procedures and services.”

Moody’s said cybersecurity investment may get a boost because the Biden administration has made cybersecurity a major focus, proposing legislation to provide funds to local, state, tribal and federal governments to combat cyberattacks.

Cybersecurity regulation in the U.S. has been focused on specific sectors with laws being passed as security threats in certain areas have gained public attention.

In July, President Biden signed a national security memorandum on “improving cybersecurity for critical infrastructure control systems.” It directed the Department of Homeland Security’s Cybersecurity & Infrastructure Security Agency and the Department of Commerce’s National Institute of Standards and Technology to develop cybersecurity performance goals for infrastructure.

It also established the President’s Industrial Control System Cybersecurity Initiative, a voluntary effort between the federal government and the infrastructure sector to move head on using technology and systems to provide threat visibility, indicators, detections and warnings.

This week’s Memorial Health hack hit a small system in Ohio and West Virginia. But large systems are also targets.

In June, a cyberattack reportedly took down networks at two University of Florida UF Health Central Florida hospitals.

In 2020 the for-profit 400 hospital Universal Health Systems was hacked in an attack that cost the company $67 million, according to published reports.

“In September 2020, it was reported that a German patient with a life-threatening condition was redirected from their local hospital to a more distant one after the healthcare system closest to them was attacked by ransomware and deregistered its emergency services,” Ondrej Krehel, CEO of digital forensics company LIFARS, told The Bond Buyer. “Because of this last minute shift, the patient’s care was delayed an entire hour later causing their condition to be fatal. This instance was recognized as possibly the first time a ransomware attack directly caused a death.”

Such life-and-death stakes means internet security is vital for healthcare operators.

“Unlike other industries which can lose service for days, it’s extremely important for hospitals to keep their services available to those who need them,” Krehel said. “As such, hospital CISOs should back up hospital data regularly and retain copies offline, and in separate hard drives. This technique will help them recover quickly following any cybersecurity incident while avoiding the loss of crucial data.”

He said there were other steps hospitals could take as well.

“Network segmentation, the installation of security patches and upgrades, and the use of multifactor authentication and strong passwords for employees are all effective defenses. Deactivating unused VPN protocols also prohibits hackers from using them to carry out ransomware attempts, which we’ve seen occur in the Colonial and Capcom breaches,” Krehel said.

“Lastly, hospitals need to understand that even with all of the security protocols in the world they are nothing if your employees do not follow them,” Krehel said. “As the weakest link in any cybersecurity effort, frequent security awareness training for employees are necessary. Furthermore, continuous testing to expose system vulnerabilities across the cybersecurity defenses is critical.”

Experts agree that it is important to take steps to deal with the problem.

“Cybersecurity for healthcare organizations is not a ‘one-size-fits-all’ problem. While all companies must be compliant, they should also recognize that the best ways to address cybersecurity are to perform periodic risk-based assessments and to create or adjust policies and deploy tools to address those risks,” Mendelson said. “Furthermore, healthcare executives must understand that threats rapidly change and evolve over time, so the exercise is one that must be incorporated into the budget cycle permanently.”