St. Margaret’s Health (SMH), an Illinois hospital, is set to permanently close its hospitals, clinics, and other facilities later this week. While multiple factors contributed to this decision, including the financial strain caused by the COVID-19 pandemic and low patient volumes due to social-distancing mandates, a major catalyst was a ransomware attack that occurred in February 2021. This attack severely impacted the hospital’s ability to collect payments from insurers and forced a shutdown of its IT network, email systems, electronic medical records (EMR) portal, and other web operations.
Linda Burt, SMH’s vice president of quality and community services, revealed that the attack lasted four months, during which employees had no access to the hospital’s IT system. Medical records had to be recorded manually on paper, leading to delays in entering charges and sending out claims. As a result, insurance plans were not being filed in a timely manner, and payments were not being received. The financial consequences of the ransomware attack were significant and played a decisive role in the hospital’s ultimate closure.
SMH now joins a growing list of organizations that have been forced out of business due to cyberattacks. Security analyst and researcher Adrian Sanabria keeps a list of these organizations, which currently includes 24 entities from various sectors. Among them are CardSystems, a payment processing firm that closed in 2005 after a data breach compromised millions of credit cards, and security firm HBGary, which went under in 2011 following a hacker attack that exposed sensitive information. Notably, 10 of the organizations on Sanabria’s list were victims of ransomware attacks that occurred after 2014, signaling the increased prevalence and impact of this type of cybercrime.
Experts predict that SMH won’t be the last casualty of ransomware attacks in the healthcare sector. Joshua Corman, a former chief strategist at the Cybersecurity and Infrastructure Security Agency (CISA), emphasized that smaller hospitals, especially those located in rural areas, are particularly vulnerable. These hospitals often face financial strains and lack the resources to recover from extended operational disruptions caused by ransomware attacks. Corman, who previously served on a CISA COVID-19 task force, highlighted the potential correlation between excess hospital deaths and such cyberattacks.
Furthermore, small, midsized, and rural hospitals encounter challenges in securing cyber insurance and employing dedicated cybersecurity staff. The cost of insuring against cyber threats is often high, leaving these hospitals with limited coverage. Corman stressed the urgent need for relief measures from Congress and the White House, urging policymakers and industry stakeholders to prioritize strengthening cybersecurity practices and providing financial assistance to vulnerable organizations.
Mike Hamilton, former Chief Information Security Officer (CISO) for the City of Seattle and current CISO at healthcare cybersecurity firm Critical Insight, acknowledged that even healthcare entities like SMH, which may be unable to pay ransoms, can become targets due to their cyber insurance coverage. Hamilton explained that threat actors set their extortion demands just below the cost of rebuilding and recovery when they know an organization is insured, intending to exploit their financial vulnerability.
In light of these challenges, experts recommend that smaller and rural healthcare systems seek assistance from state and federal authorities. They should engage with regional CISA and the Department of Health and Human Services (HHS) resources, as well as the Federal Bureau of Investigation (FBI). Additionally, prioritizing patching of known vulnerabilities and utilizing free cybersecurity tools offered by CISA, such as Cyber Hygiene Scanning (CyHy) and Cyber Essentials, can help mitigate risks.
Hamilton emphasized the importance of limiting employee access to the internet in healthcare environments. By restricting internet access and adopting stringent controls similar to those used in critical infrastructure facilities, healthcare organizations can significantly reduce the risk of user-initiated attacks. Preventative measures of this nature can have a significant impact on overall cybersecurity prevention efforts.
As the healthcare sector continues to grapple with cybersecurity challenges, it is vital for policymakers, industry stakeholders, and healthcare providers to collaborate and take decisive action. Addressing this new and evolving threat landscape is crucial to ensuring the survival and resilience of healthcare organizations, especially those that are small, rural, and resource-constrained. Only through a multi-faceted approach that includes improved cyber-hygiene practices, financial assistance, and policy reforms can the healthcare industry effectively combat the existential threat posed by ransomware attacks.