Why hospitals are common targets for cyberattacks

According to Yousry, hospitals and health systems have faced an increased risk of cyberattacks in recent years, with one study finding that cyberattacks targeting U.S. healthcare facilities more than doubled between 2016 and 2022.

In IBM's Cost of a Data Breach 2022  report, healthcare was the industry most significantly affected by data breaches. Each breach costs healthcare companies an average of $10.1 million, and losses may be large enough to force some hospitals out of business.

The report also found that highly regulated industries like healthcare typically take longer to recover from data breaches than organizations that are less regulated. Generally, it can take a healthcare organization more than 10 months to recover from a data breach.

Limor Kessem, a principal consultant in cyber crisis management for IBM's Security X-Force, said that healthcare organizations are often more vulnerable to cybersecurity attacks because of their complex technology infrastructures. Many organizations also run outdated programs on devices they use every day, which exacerbates the problem.

In addition to financial costs, some cyberattacks can affect patient care and potentially cost lives if medical systems are affected. "Attacks that take place in real time cause direct losses to hospitals, which have to reroute patients, deny care, lose access to electronic health records and see the risk to human lives rise as a result of the attack," Kessem said. "That's on top of staff distress and having to revert to manual procedures and paperwork."

How one hospital is still recovering from a cyberattack

In October 2021, Johnson Memorial Health was hit by a cyberattack by Hive, a prominent ransomware group that has targeted over 1,500 organizations in more than 80 countries. The group infiltrated the health system's networks and demanded it pay $3 million in Bitcoin as a ransom.

The hospital ultimately decided not to pay the ransom, even though it could open them up to fines and lawsuits in the future. Instead, "[l]eaders decided to disconnect after the attack, assess, and then rebuild, which meant taking several critical systems offline," Yousry writes.

Over the next few weeks, Johnson Memorial struggled to care for patients without their usual technology available. In the ED, ambulances had to be diverted to other hospitals since staff couldn't access patients' medical records.

Staff members in the obstetrics unit also had to physically guard the door to the unit to prevent unauthorized adults from leaving with infants since their usual security bracelets were not working. They also struggled to communicate with non-English speaking patients since their remote translation service was inaccessible.

"Stressed-out nurses were using Google Translate to communicate with this woman in labor," said Stacey Hummel, who manages the hospital's maternity department. "It was crazy."

According to Hummel, the cyberattack was the hardest challenge she had ever faced in her 24-year career — even worse than COVID-19. During the attack, fetal monitors in patients' rooms also went down, which meant that nurses had to manually monitor vital signs of pregnant individuals and their babies.

"Once that happened, we had to station a nurse in every single room," Hummel said. "So staffing was a nightmare because you had to stand there and watch the monitor."

Overall, it took the hospital almost six months to return to near-normal operations. "We worked... every single day in October, every single day. And some days, 12, 14 hours," said Rick Kester, Johnson Memorial's COO.

Currently, Johnson Memorial is still struggling with costs from the cyberattack. It is still waiting for its cyberattack insurance claim to be paid, even though it was submitted almost two years ago. Its annual insurance premium also increased 60% since the attack.

"That is an incredible increase in cost over the last three or four years and...when your claims aren't paid, it can be even more frustrating," said Johnson Memorial CEO David Dunkle. "We are investing so much in cybersecurity right now that I don't know how small hospitals will be able to afford [to operate] much longer."

What's being done to prevent future cyberattacks?

Currently, the federal government is working to address the threat of cyberattacks through trainings and awareness campaigns by the Cybersecurity and Infrastructure Security Agency (CISA). The FBI has also  dismantled  several ransomware groups, including Hive, the group that attacked Johnson Memorial.

CISA and the American Hospital Association (AHA) also previously  released  recommendations to help organizations minimize the risk and potential impact of cyberattacks, including:

• Requiring multi-factor authentication for all remote, privileged, and administrative access
• Keeping software up to date to avoid vulnerabilities
• Confirming that an organization's network is protected by antivirus and antimalware software
• Identifying and assess any unusual or unexpected network activity in a timely manner
• Designating a crisis response team with members in different areas, and conducting exercises to ensure everyone understands their role in a cyberattack
• Identifying "mission-critical clinical and operational services and technology" and developing business continuity plans in case operations are disrupted by an attack

According to John Riggi, AHA's national advisor for cybersecurity and risk, hospitals can also protect themselves with cyber insurance. However, many organizations say that coverage is often not comprehensive, which leaves them responsible for millions of dollars in damages.

"The government certainly could help in the space of cyber insurance, perhaps setting up a national cyber insurance fund, just like post-9/11, when folks could not obtain insurance against terrorist attacks, to help with that emergency financial aid," Riggi said.

"You ask many CEOs across the country, 'What keeps you up at night?' Of course, [they're] talking about workforce, financial pressures, and they say, 'The possibility of a cyberattack,'" Riggi said. (Yousry, "Shots," NPR, 5/8)

5 steps for becoming a cyber resilient organization

In a new era of IT-enabled and IT-driven business and clinical strategies, the trends of innovation, disruption, and digital transformation will further complicate the cybersecurity landscape. Access our resources to learn about critical areas for discussion and action.