US hospitals are likely to see an increase in cyberattacks by hackers, experts warn
One of the top children’s hospitals in the country, the Ann & Robert H. Lurie Children’s Hospital of Chicago, has been forced to put its phone, email, and medical record systems offline as it battles a cyberattack. Cybersecurity experts are warning that hospitals around the country are at risk for attacks like the one that is crippling operations at a premier Midwestern children’s hospital, and that the U.S. government is doing too little to prevent such breaches.
Hospitals in recent years have shifted their use of online technology to support everything from telehealth to medical devices to patient records. Today, they are a favorite target for internet thieves who hold systems’ data and networks hostage for hefty ransoms, said John Riggi, the American Hospital Association’s cybersecurity adviser.
Unfortunately, the unintended consequence of the use of all this network and internet-connected technology is it expanded our digital attack surface, Riggi said. So, many more opportunities for bad guys to penetrate our networks.
Brett Callow, an analyst for the cybersecurity firm Emsisoft, counted 46 cyberattacks on hospitals last year, compared with 25 in 2022. The paydays for criminals have gotten bigger too, with the average payout jumping from $5,000 in 2018 to $1.5 million last year.
Callow believes the government should ban cyberattack victims such as hospitals, local governments, and schools from paying ransoms. There’s so much money being paid into the ransomware system now there’s no way the problem is going to simply go away on itself, he said.
The Department of Health and Human Services said it will rewrite the rules for the Health Insurance Portability and Accountability Act — the federal law commonly called HIPPA that requires insurers and health systems to protect patient information – to include new provisions that address cybersecurity later this year.
In Chicago, Lurie hospital’s network has been offline for two weeks. The hospital, which served more than 260,000 patients last year, has established a separate call center for patients’ needs and resumed some care.
On Thursday, Lurie’s surgeons operated on Jason Castillo’s 7-month-old daughter mostly by hand, without some of the high-tech devices usually used. His daughter’s planned heart surgery was postponed on Jan. 31 when the hospital found itself under cyber siege.
She’s doing fantastic, Castillo said of his daughter, who is now recovering at home. It feels like a huge cloud has been lifted from our household.
Even once Lurie has restored their network, it’ll likely take months of behind-the-scenes work for the hospital to fully rebound, Callow said.
These incidents can affect everything from patient care to payroll, Callow said. Fully recovering can take months, it’s not simply a matter of flicking a switch and everything comes back on.
Becoming the victim of a cyberattack is costly, too. The attacks can put hospitals’ networks offline for weeks or months, forcing hospitals to turn away patients.
The more prepared we are, the better, said Deputy Secretary Andrea Palm. But, she added, some hospitals will struggle to protect themselves. She is worried about rural hospitals, for example, that may have difficulty cobbling together money to properly update their cybersecurity. HHS wants more money from Congress to tackle the issue, but Palm said the agency doesn’t have a precise dollar amount it’s seeking.
It’s important to note that this has to come with resources, Palm said. We can’t set the industry up not to be able to meet requirements.
As hospitals across the United States continue to face cyber threats, experts are urging the government to take stronger action to prevent future breaches. The increase in online raids targeting hospitals has prompted the Department of Health and Human Services to develop new rules to protect facilities from cyberattacks.
According to cybersecurity analysts, the number of cyberattacks on hospitals has been steadily rising, with criminals demanding increasingly larger ransoms. Last year alone, there were 46 reported attacks on hospitals, more than double the number in the previous year. The average payout for these attacks also soared to $1.5 million.
To combat this growing threat, experts suggest banning ransom payments from victims. By cutting off the financial incentives for cybercriminals, it is hoped that the problem can be mitigated. Additionally, the Department of Health and Human Services plans to revise the rules of the Health Insurance Portability and Accountability Act to address cybersecurity concerns.
The effects of a cyberattack on a hospital can be profound, with networks remaining offline for weeks or even months. Patients may be turned away, and hospital operations can be severely disrupted. The long-term recovery process is complex and time-consuming, requiring extensive efforts to restore systems and ensure patient care can resume normally.
While steps are being taken to address this issue, some hospitals, especially rural facilities, may struggle to keep up with the necessary cybersecurity measures due to financial constraints. It is crucial that resources and support are provided to aid these hospitals in meeting the requirements and protecting patient data.
The recent cyberattack on the Ann & Robert H. Lurie Children’s Hospital of Chicago serves as a stark reminder of the vulnerability of medical institutions. As hospitals increasingly rely on digital technology to provide care and manage patient records, it becomes imperative to implement robust cybersecurity measures to safeguard against future cyber threats.
