Current:Home > MyCyberattacks on health care are increasing. Inside one hospital's fight to recover-DB Wealth Institute B2 Expert Reviews
Cyberattacks on health care are increasing. Inside one hospital's fight to recover
View Date:2024-12-23 18:41:38
It was October 2021 and the staff at Johnson Memorial Health were hoping they could finally catch their breaths. They were just coming out of a weeks-long surge of COVID hospitalizations and deaths, fueled by the Delta variant.
But on Friday, October 1, at 3 a.m., the hospital CEO's phone rang with an urgent call.
"I remember like it was yesterday," says Dr. David Dunkle, CEO of the health system based in Franklin, Indiana. "My chief of nursing said, 'Well, it looks like we got hacked.'"
The information technology team at Johnson Memorial discovered a ransomware group had infiltrated the health system's networks. The hackers left a ransom note on every server, demanding the hospital pay $3 million in Bitcoin in the next few days.
The note was signed by the "Hive," a prominent ransomware group that has targeted more than 1,500 hospitals, school districts and financial firms in over 80 countries, according to the U.S. Department of Justice.
Johnson Memorial was just one victim in a rising wave of cyberattacks on hospitals across the country. One study found that cyberattacks on U.S. health care facilities more than doubled between 2016 and 2022.
In the aftermath, the focus frequently falls on the risk of confidential patient information being exposed, but these attacks can also leave hospitals hemorrhaging millions of dollars in the months that follow, and also cause disruptions to patient care, potentially putting lives at stake.
In Indiana alone, 27 hospitals were hit by cyberattacks between 2010 and 2023, according to data provided by the Indiana Hospital Association.
After its own attack, the staff at Johnson Memorial suddenly had to revert back to low-tech ways of patient care. They relied on pen and paper for medical records and notes, and sent runners between departments to take orders and deliver test results. The impacts were felt for weeks.
"You ask many CEOs across the country, 'What keeps you up at night?' Of course, [they're] talking about workforce, financial pressures, and they say, 'The possibility of a cyberattack,'"
says John Riggi, the national adviser for cybersecurity and risk at the American Hospital Association.
The hacker's ransom: to pay or not to pay
A few hours after that 3 a.m. call, Dunkle was on the phone with cybersecurity experts and the FBI.
The burning question on his mind: Should his hospital pay the $3 million ransom to minimize disruptions to its operations and patient care?
"[FBI agents] want you to know that if you pay a ransom to what is deemed a terrorist organization, you can open yourself up down the line to a fine," he says.
Dunkle is referring to potential fines levied by the U.S. Department of the Treasury's Office of Foreign Assets Control if an organization facilitates or makes a payment to cybercriminals.
Dunkle also worried about possible lawsuits, because the hackers claimed that they stole sensitive patient information they'd release to the "dark web" if Johnson Memorial did not pay up. Other health-data breaches have led to class-action lawsuits from patients.
The Office for Civil Rights can also impose financial penalties against hospitals if HIPAA-protected patient data is divulged.
"It was information overload," Dunkle recalls. All the while, he had a hospital full of patients needing care and employees wondering what they should do.
The hospital goes digitally dark
In the end, the hospital did not pay the ransom. Leaders decided to disconnect after the attack, assess, and then rebuild, which meant taking several critical systems offline. That upended normal operations in various departments.
The emergency department had to divert ambulances with sick patients to other hospitals because the staff couldn't access patient medical records.
In the obstetrics unit, newborns usually wear security bracelets around their tiny legs to prevent unauthorized adults from moving the infant or leaving the unit with them. When that tracking system went dark, staff members had to physically guard the unit doors.
During one delivery, nurses struggled to communicate with an Afghan refugee who came from the nearby military post to give birth. The remote translation service they typically used was inaccessible because of the cyberattack.
"Stressed-out nurses were using Google Translate to communicate with this woman in labor," says Stacey Hummel, the maternity department manager. "It was crazy."
Hummel says it was the hardest challenge she's ever faced in her 24 years of experience –– even worse than COVID. As the cyberattack unfolded, her nursing team was praying "Please don't let the fetal monitors go down." And then they did.
The clinical staff suddenly could no longer receive digital notifications outside of the labor rooms, notifications that help them monitor the vital signs of laboring women and their fetuses. That meant critical data points, like a dangerously low heart rate or high blood pressure, could go unnoticed.
"Once that happened, we had to station a nurse in every single room," Hummel says. "So staffing was a nightmare because you had to stand there and watch the monitor."
Beefing up staffing at that time was no small feat, as nurses were in short supply nationwide and labor costs were high.
The hospital's billing department was also crippled. For months they were unable to bill insurance plans to be paid in a timely fashion.
An IBM report estimated that cyberattacks on hospitals cost an average of $10 million per incident, excluding any ransom payment –– the highest among all industries.
Hospital leaders say for this reason, cyberattacks pose an existential threat to the viability of hospitals across the country, especially financially-struggling hospitals or smaller hospitals in rural areas.
Where cyber insurance falls short
Cyber insurance has become a critical part of hospital budgets, according to Riggi of the American Hospital Association. But some institutions are finding the insurance coverage isn't comprehensive, so even after an attack they remain on the hook for millions of dollars in damages.
At the same time, insurance premiums can soar after a cyberattack.
"The government certainly could help in the space of cyber insurance, perhaps setting up a national cyber insurance fund, just like post-9/11, when folks could not obtain insurance against terrorist attacks, to help with that emergency financial aid," Riggi says.
The federal government has taken steps to address the threat of cyberattacks against critical infrastructure, including training and awareness campaigns by the federal Cybersecurity and Infrastructure Security Agency. The FBI has taken down several ransomware groups, including the "Hive," the group behind the attack on Johnson Memorial.
Today, Johnson Memorial is up and running again. But it took nearly six months to resume near-normal operations, according to the hospital's Chief Operating Officer Rick Kester.
"We worked... every single day in October, every single day. And some days, 12, 14 hours," Kester says.
The hospital is still dealing with some ongoing costs. Its revenue cycle has not fully recovered yet and its cyber attack insurance claim, submitted nearly two years ago, still hasn't been paid, Dunkle says. The hospital's annual insurance premium is up 60 percent since the incident.
"That is an incredible increase in cost over the last three or four years and...when your claims aren't paid, it can be even more frustrating," he says. "We are investing so much in cybersecurity right now that I don't know how small hospitals will be able to afford [to operate] much longer."
This story comes from NPR's health reporting partnership with Side Effects Public Media and KFF Health News.
veryGood! (61111)
Related
- Jessica Simpson’s Sister Ashlee Simpson Addresses Eric Johnson Breakup Speculation
- Oregon Gov. signs bill reintroducing criminal penalties for drug possession: What to know
- YouTuber Aspyn Ovard Files for Divorce From Parker Ferris Same Day She Announces Birth of Baby No. 3
- Yes, we’re divided. But new AP-NORC poll shows Americans still agree on most core American values
- 13 escaped monkeys still on the loose in South Carolina after 30 were recaptured
- Students with disabilities more likely to be snared by subjective school discipline rules
- Sabrina Carpenter Channels 90s Glamour for Kim Kardashian's Latest SKIMS Launch
- Family of Kaylee Gain, teen injured in fight, says she now has trouble speaking, walking
- Video shows masked man’s apparent attempt to kidnap child in NYC; suspect arrested
- Lawmakers in GOP-led Nebraska debate bill to raise sales tax
Ranking
- What is best start in NBA history? Five teams ahead of Cavaliers' 13-0 record
- Voters reject Jackson County stadium measure for Kansas City Chiefs, Royals
- Jurors to begin deliberating in case against former DEA agent accused of taking bribes from Mafia
- Firefighters rescue 2 people trapped under Ohio bridge by fast-rising river waters
- Bohannan requests a recount in Iowa’s close congressional race as GOP wins control of House
- Nicki Minaj Pink Friday 2 tour: See the setlist for her career-spanning concert
- The women’s NCAA Tournament is having a big moment that has also been marred by missteps
- Oliver Hudson walks back previous comments about mom Goldie Hawn: 'There was no trauma'
Recommendation
-
Zendaya Shares When She Feels Extra Safe With Boyfriend Tom Holland
-
Alabama lawmakers advance a bill that would revamp the state ethics law
-
The Real Reason Paris Hilton and Carter Reum Don't Share Photos of Baby Girl London
-
Wisconsin power outage map: Winter storm leaves over 80,000 customers without power
-
'Red One' review: Dwayne Johnson, Chris Evans embark on a joyless search for Santa
-
Wisconsin governor urges state Supreme Court to revoke restrictions on absentee ballot drop boxes
-
Wisconsin Gov. Evers vetoes transgender high school athletics ban, decries radical policies targeting LGBTQ
-
Trump sues two Trump Media co-founders, seeking to void their stock in the company