When a hospital suffers a ransomware attack, consequences are felt beyond financial losses.
During this type of attack, criminals lock files (and sometimes parts of the infrastructure) to demand ransom for regained access. If the important medical records are encrypted, this hacking incident can endanger patient's lives.
For underfunded hospitals, this malware can lead to the final closure of the institution.
We explore three recent ransomware cases and how they affected hospitals in the US.
#1 Atlantic General Hospital
On January 29, 2023, Atlantic General Hospital detected ransomware (encryption of certain files) within its systems. An analysis showed that hacking activity started weeks before.
In March, the estimated number of patients was 30,000. Some of the stolen documents include data about health insurance, names of physicians, patient names, medical record numbers, and files about treatment and health history.
Later, in June, it came to light that the attack affected 136,981 individuals whose sensitive data had been compromised in the breach.
Further investigation showed the information that hackers managed to extract also included patient names linked to their social security numbers, birthdays, diagnoses, and data concerning their financial accounts.
That kind of data can be used for identity theft as well as credit card fraud. The hospital offers free identity fraud protection services and credit card monitoring to affected patients.
This case shows how long it can take for accurate damage estimation within complex healthcare systems following ransomware.
#2 St. Margaret’s Health Hospital
In 2021, St. Margaret’s Health Hospital suffered a ransomware attack. Two years later, it became clear that this had been the final straw for the rural hospital that had already been financially struggling, short-staffed, and affected by COVID-19.
In June 2023, the hospital announced that it would be closing down after 120 years of service.
Major ransomware groups target larger hospitals and chains to get a larger payoff. The majority of the cyberattacks are financially motivated, even those that affect hospitals.
However, less skilled criminals will focus on small institutions that are easier to compromise since they don’t have defenses that match those of larger hospitals.
The cost of a cyberattack accumulates fast. It takes a lot of resources to completely remove the ransomware from systems following the attack, improve security, and accurately assess the damage.
St. Margaret’s Health was a rural hospital with a limited security budget — which left them with fewer funds they could invest to prevent an attack in the first place, and also to completely recover from the incident.
#3 CommonSpirit Health
In October 2022, CommonSpirit Health was hit by ransomware in multiple locations. This is one of the largest hospital chains of non-profit healthcare that counts over 140 institutions.
In the case of Washington CommonSpirit Health hospital, the attack left the employees in the dark. They couldn’t access the medical records or get lab test results.
This meant that they lost records they relied on to see which medications needed to be administered or why certain patients arrived at the emergency rooms.
Most of the systems were down out of precaution. Computers that worked would run slow. Nurses went back to using pen and paper.
Complete access to the systems in Washington hospital wouldn’t be restored for two weeks after the attack. For other hospitals, the outage of systems following the attack was longer — over a month. Sensitive data of more than 623,700 patients was compromised in the attack.
It’s estimated that this incident set back the chain of hospitals for more than $160 million. This includes the cost of the remediation following the attack as well as long downtimes for certain hospitals within the chain.
How Can Healthcare Institutions Prepare for Ransomware?
Preventative measures that any hospital can apply, regardless of the budget for cybersecurity spending are:
- Insisting on strong passwords — criminals need illicit access to your system to deploy malware, don’t make it easy
- Update all the devices regularly — accepting updates provided by the manufacturer sets the devices to their safest version
- Prepare your staff for a possible ransomware attack — they should know their next steps in case a ransom message appears on hospital screens
For example, write down the guidelines on what to do in case of ransomware. Cover the importance of documenting ransom messages, turning off WiFi, not restarting devices, etc.
Hospitals that can invest more to protect their sensitive data and patients, can also:
- Introduce regular phishing awareness training — the majority of ransomware attacks start with a phishing scam
- Invest in anti-ransomware solutions for stronger protection — they continually seek ransomware signatures — such as encryption attempts
Many consider a ransom message the start of the attack.
However, when a ransom message appears on the screen, the attack is mostly executed. The hacker already got access to the victim’s network. The files are already locked with encryption for which only the hacker has the key.
Depending on the threat actor, some of the documents might also be stolen before the hacker restricted access to databases or parts of the infrastructure.
Criminals don’t encrypt the files right away. Instead, they often steal them before encrypting them to put additional pressure on their victims — especially if they refuse to pay the ransom.
Keeping up With Evolving Ransomware Attacks
Ransomware is already disrupting hospitals and patient care. It can restrict access to important medical files, steal sensitive medical records, or close down the entire institution.
New, evolving strains of ransomware will do even more damage.
Compared to the ransomware types from more than six years ago (e.g. WananCry) that also affected hospitals, new types of ransomware already do more than lock files and restrict access until a hospital pays a ransom. They also extract sensitive documents beforehand.
As with any other cyberattack, ransomware continuously evolves. Since they’re a vulnerable group, medical institutions need security solutions that can keep up with it but also prepare their staff for this common cyber incident.
