Hospital trio learns cybersecurity lessons the hard way
How quickly a hospital recovers from a ransomware cyberattack has a lot to do with how thoroughly the hospital prepared ahead of time for just such an event.
This lesson was recently hammered home at three community hospitals and the government of the state in which the sister institutions operate, Connecticut.
The breach began in early August, continued for at least 40 days and, early on, forced hospital leadership to divert emergency patients, cancel elective procedures and request an advance of around $7.5 million from the state’s Department of Social Services.
The latter action was needed to make up for Medicaid billings that could not be processed due to a reactive shutdown of all networked computers during the crisis.
All three affected hospitals—Manchester Memorial, Rockville General and Waterbury Hospital—are owned by Los Angeles-based Prospect Medical Holdings.
Hard hits, unsettling lessons
By the time the three hospitals and their affiliated off-campus offices declared “all services back online” in mid-September, they had taken some hard hits and learned some difficult lessons about planning for ransomware attacks and other cyber disasters.
Among the unhappy surprises likely to change leadership’s outlook, going by coverage in the local and national press:
- More than 24,000 employees of Prospect Medical Holdings in Connecticut may have had Social Security numbers and other personal information snatched during the attack.
- Counts of affected patients are harder to come by. Officials are unsure any personal health data was compromised.
- Along with diverting emergency patients, the affected hospitals for a time could not take new patients with stroke or psychiatric conditions.
- They also struggled to get digital imaging exams in front of radiologists for interpretation. Some radiologists were said to be sleeping in the hospital and hand-delivering imaging results to referring doctors.
- The costs of dealing with the cyberattack added to the three hospitals’ existing financial woes—to the point where leadership told Gov. Ned Lamont and a group of state legislators their financial situation was “dire.”
- Over one 10-day stretch, the hardest-hit of the three hospitals saw its bed census plummet from 126 patients to 88.
- When the victimized providers sought to borrow glucometers during the incident, they found HIPAA requirements made this a dicey prospect.
- The three hospitals were preparing for sale to Yale New Haven Health when the attack was launched. That deal may now be in doubt.
Several watchers believe the Prospect Medical Holdings attack, which may have extended beyond Connecticut, is the work of the multinational Rhysida ransomware group. HHS maintains a fact sheet on this group.
‘Some think it can’t happen to them’
The Connecticut news site CT Mirror has detailed coverage of the breach and its aftermath, including a granular timeline. The outlet spoke with biomedical informaticist Dean Sittig of the University of Texas.
“I guess some think it can’t happen to them,” Sittig says. “They might think, ‘I’m too inconsequential for anyone to bother attacking me.’”
More:
“They don’t understand that these systems work by people programming computers to try [to breach] every computer in the entire country. It’s not like they’re picking someone out and saying, ‘Let’s go to this little hospital in Connecticut and try something.’ … This is a problem that can be prevented.”
Additional coverage is extensive.