By Ashwani Mishra, Editor-Technology, 63SATS
When hospitals are attacked, it’s not just data at risk—lives are on the line.
In 2019, a devastating event unfolded at Springhill Medical Center in Alabama. During a ransomware attack, a baby was born, but the joy soon turned into a tragedy. Nine months later, the child passed away. The mother, grief-stricken and seeking justice, filed a lawsuit claiming that her child’s death was due to medical complications arising from the delivering doctor’s inability to access crucial data during the ransomware attack.
A year later, in 2020, a similar tragedy struck a hospital in Dusseldorf, Germany. The facility was hit by a ransomware attack, rendering it unable to treat its patients. In a desperate bid to save a woman’s life, the hospital transferred her to another city for treatment. Tragically, she died in transit.
These harrowing incidents highlight the ruthless nature of ransomware attackers.
They show no regard for human life, indifferent to whether their victims are children or the elderly. The severity of their actions leaves a trail of sorrow and loss, underscoring the urgent need for robust cybersecurity measures in our healthcare systems.
Ascension Hospital Cyber Attack: EHRs, Patient Communication, and Medication Systems Disrupted
Over the past weeks, US-based Ascension, with 140 hospitals across 19 states and D.C., has made headlines due to a crippling cyberattack. The ransomware attack, detected on May 8, disrupted critical systems including EHRs, the MyChart platform, and medication and test-ordering systems.
This incident also impaired phone capabilities and patient portals, delaying medications and lab results, which affected timely medical decisions. Ascension staff reverted to manual processes, ensuring patient care continued safely. Despite working with top cybersecurity experts, Ascension has not given a resolution timeline. The Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency are investigating.
The Ascension breach follows a major ransomware attack on Change Healthcare in February, which exposed millions of Americans’ health data and caused delays in processing healthcare claims and prescriptions.
Surge in Healthcare Cyber Attacks: Ransomware Doubles, Affecting Millions
Cybersecurity breaches in American healthcare systems have shot in recent years. A 2023 University of Minnesota study found ransomware attacks more than doubled between 2016 and 2021, compromising the private health information of nearly 42 million people.
In August 2023, Los Angeles-based Prospect Medical Holdings, Inc. , which owns 170 medical facilities, took its national computer systems offline after they discovered a ransomware attack. Patient treatments were cancelled, outpatient facilities closed, and doctors had to use pen and paper instead of computers to record patient data.
Of the 16 critical infrastructure sectors tracked by the FBI’s 2023 Internet Crime report, healthcare had the highest number of organizations fall victim to ransomware attacks in 2023. The number of reported ransomware attacks directed at U.S. hospital systems nearly doubled from 2022 to 2023, indicating that cybercriminals are increasingly targeting health care institutions.
Ransomware was even listed as one of the biggest safety concerns in health technology for 2024 by nonprofit patient safety organization ECRI .
According to the American Hospital Association, numerous healthcare facilities have contingency plans in place to sustain operations without relying on technology for up to 72 hours, and in some cases, as long as 96 hours. But is it enough? There have been numerous instances where data has been held ransom for a week or more.
Hospitals Paid Over $100 Million in Ransoms to Cybercriminals
Hospitals are often targeted by ransomware attackers because they are more likely to pay ransoms due to the critical nature of their services. The urgency to restore access to essential patient data and medical systems makes them prime targets.
For instance, in 2016, Hollywood Presbyterian Medical Center’s systems were locked down by a ransomware attack. To regain access to their data, the hospital paid 40 bitcoins (approximately $17,000 at the time). This incident set a precedent, demonstrating that hospitals might comply with ransom demands to quickly resume critical operations and ensure patient care continuity.
Determining the exact number of hospitals that have paid ransoms, or the specific amounts, is challenging. However, charges filed by the U.S. Department of Justice in 2023 against Russian cybercriminals reveal that hospitals paid over $100 million in ransoms to a single group. This indicates that hospitals might be more inclined to pay ransoms compared to other institutions, making them more attractive targets for cybercriminals.
Ransomware Crisis: Indian Healthcare Faces Growing Cyber Threats
Indian hospitals have increasingly become targets of cyber threats and ransomware attacks, jeopardizing patient data and healthcare operations.
In December 2022, the All India Institute of Medical Sciences (AIIMS) was hit by a ransomware attack that compromised five servers, encrypting an estimated 1.3 terabytes of critical data, making it inaccessible to the hospital.
During the same time, the SREE SARAN MEDICAL CENTER in Tamil Nadu saw the personal data of 1.5 lakh patients sold on cybercrime forums and a Telegram channel. CloudSEK identified this as a supply chain attack, where the hospital’s IT vendor, Three Cube IT Lab, was initially targeted, leading to the exfiltration of personally identifiable information (PII) and protected health information (PHI).
On October 31, 2023, the Indian Council of Medical Research (ICMR) (ICMR) experienced a significant data breach, resulting in the information of over 81.5 crore Indians being sold on the dark web. This breach highlighted the vulnerability of sensitive health data.
On April 28, 2024, the Regional Cancer Centre (RCC) in Thiruvananthapuram, a state-owned premier cancer care hospital and research center, suffered a cyber attack. The attacker even attempted to control radiation treatment and critical patient care systems. While the extent of the data breach remains unclear, this incident underscores the potential severity of cyber-attacks on healthcare facilities.
These harrowing incidents underscore the merciless nature of ransomware attackers. The devastating consequences of these attacks, leading to the loss of innocent lives, highlight an urgent call to action.
Hospitals and healthcare facilities must prioritize robust cybersecurity measures to protect sensitive patient data and ensure uninterrupted medical care. The integration of advanced technology in healthcare, while beneficial, has made these institutions prime targets for cybercriminals.
The stakes are too high, and there is a need to act decisively to safeguard our healthcare systems and prevent further tragedies.