When ransomware gets deadly: Attack brings down hospital system
Hospitals left working with paper charts after ransomware forces IT shutdown, cancels surgeries
A Marietta, Ohio-based hospital chain was recently forced to shut down IT systems and cancel surgeries, underscoring the deadly ramifications of ransomware.
In the wake of the attack, which took place on August 15, Memorial Health System was reduced to working with paper charts.
The attack resulted in disruptions to clinical and financial operations, Memorial said in an Aug. 18 statement.
Memorial Health System covers 325 providers representing 64 clinics, spread across southeastern Ohio and parts of West Virginia, according to its website.
T. MOBILE’S DATA BREACH: WHAT CUSTOMERS NEED TO KNOW
While urgent and elective surgical cases were postponed – a serious consequence of the attack – emergency cases, which are the most critical, were not canceled, Jennifer Offenberger, associate vice president of service excellence at MHS, told FOX Business in an interview.
"There's a difference between urgent and emergent," she said – the latter referring to emergency cases. "Emergent is life-threatening…urgent is something that might need to be done but it has a little broader time scale to it."
But underscoring the gravity of the attack, the FBI, Homeland Security and other security organizations were brought in to restore information operations, according to Offenberger.
"We could not access our servers which contain all of our patient data," she said.
MHS has been negotiating with the attackers with assistance from the FBI, Homeland Security and insurance carriers, Offenberger said, adding that "This was ransomware. We have a negotiated solution."
POLY NETWORK OFFERS JOB TO HACKER WHO STOLE $600M
One of the most distressing facts about ransomware is that it often requires a payment – sometimes millions of dollars – to restore operations. Offenberger did not disclose the details of the negotiations.
Memorial Health System President and CEO Scott Cantley said on Aug. 18 that "no known patient or employee personal or financial information has been compromised."
Lives at stake
"As we have witnessed over the last year, the attackers have no respect for human lives," Fleming Shi, CTO of Barracuda Networks, told FOX Business. "They are finding the most critical services and organizations to attack so they can get paid."
Tim Eades, the CEO at vArmour, called ransomware attacks "an existential threat to hospitals and healthcare."
"A hospital’s reputation matters, and ransomware attacks can sow distrust with the public during a time where trust in public health is more important than ever," Eades said.
GET FOX BUSINESS ON THE GO BY CLICKING HERE
Hospitals are constant targets
A whopping 48% of hospital executives reported shutdowns in the last six months, according to a new study from Philips and CyberMDX.
The problem is also costly. Large hospitals report an average shutdown time of 6.2 hours at a cost of $21,500 per hour, while midsize hospitals averaged nearly 10 hours at more than double the cost, or $45,700 per hour, the report said.
And hospitals and health care systems continue to be vulnerable, despite the wave of attacks.
When asked about computer system vulnerabilities targeted by criminal gangs, "the majority of respondents said their hospitals were unprotected," the report said.
"Currently, ransomware groups are managing to breach hospitals and medical organizations easily using the same tried-and-tested methods, often targeting users with malicious emails, attachments and links," Ian Pratt, Global Head of Security for Personal Systems at HP, told Fox Business.
"Every technology decision a hospital makes is a security decision, and even the smallest vulnerability can compromise patient safety and privacy," Pratt said.