An Illinois hospital's decision to cease operations later this week at least partly because of a 2021 ransomware attack that crippled operations for months is a stark reminder of the sometimes-existential threat that online extortion campaigns can pose.
That's especially true for resource-strapped small and rural hospitals.
St. Margaret's Health (SMH) will permanently close its hospitals, clinics, and other facilities at Spring Valley and Peru, Ill. this Friday, June 16, after serving the community for 120 years. Multiple factors led to the decision, including unprecedented expenses tied to the COVID-19 pandemic, low patient volumes tied to social-distancing mandates, and staff shortages that forced the health system to have to rely on temporary staffing agencies.
But the February 2021 ransomware attack on its systems at Spring Valley had a big part to play; they catastrophically impacted the hospital's ability to collect payments from insurers for services rendered, and the attack forced a shutdown of the hospital's IT network, email systems, its electronic medical records (EMR) portal, and other Web operations.
A Contributing Factor
SMH vice president of quality and community services Linda Burt says the attack lasted four months, during which employees had no access to the IT system, including email and the EMR system.
"We had to resort to paper for medical records. It took many months, and in some service lines, almost a year to get back online and able to enter any charges or send out claims," Burt says. "Many of the insurance plans have timely filing clauses which, if not done, they will not pay. So, no claims were being sent out and no payment was coming in."
SMH is the latest to make the list that security analyst and researcher Adrian Sanabria maintains of organizations that were forced out of business because of a cyberattack over the past two decades. The list currently comprises 24 organizations — many of them small — across multiple sectors. Among the names in the list is payment processing firm CardSystems, which closed in 2005 following a data breach that exposed sensitive data associated with some 40 million credit cards; security firm HBGary which went kaput in 2011 after hackers broke into its systems and leaked information about the company; and Brookside ENT and Hearing Center which shut down in 2019 following a ransomware attack. Significantly, 10 of the cyberattacks on Sanabria's list are ransomware-related and all of those happened after 2014, when ransomware really started ramping up.
St. Margaret's Won't be the Last Ransomware Casualty
Joshua Corman, former CISA chief strategist and current vice president of cyber safety strategy at Claroty, expects what happened at SMH will happen to other hospitals, especially smaller ones and those located in rural areas. Corman, who was part of a CISA COVID-19 task force that looked into the potential correlation between excess hospital deaths and ransomware, says the hospitals most expected to close are those that are situated the farthest away from other hospitals and alternative care options.
"Small and rural hospitals already face significant financial strains from the last few years of [the] pandemic and very few have much cash-on-hand reserves for unplanned disruptions," Corman says. "Ransomware attacks can disrupt operations for weeks and months and can, therefore, represent the straw that breaks the camel's back."
A couple of factors might be exacerbating the situation. Often many small, midsized, and rural hospitals lack a full-time security staff. They also have a harder time getting cyber insurance, and when they do, it can cost more for less coverage.
"Congress and the White House are exploring relief, and it's long overdue," Corman says.
In the meantime, policy-makers and industry stakeholders need to find a way to raise the bar on cyber-hygiene in material ways, and provide financial assistance for smaller, target-rich, but cyber-poor entities. "Ransomware attacks represent a new, man-made, but material hazard deserving of Board-level attention," Corman says. "This hazard could drive smaller and rural hospitals into closure."
Mike Hamilton, former CISO for the City of Seattle and currently in the same role at healthcare cybersecurity firm Critical Insight, says it's unclear if the attack on SMH was opportunistic or targeted in nature. However, even healthcare entities like SMH, which likely don't have the ability to pay a ransom even if they wanted to, can become a target if the threat actor knows it carries cyber insurance, Hamilton says. "Knowing that organizations have cyber insurance allows threat actors to set the extortion demand just under the threshold for the cost of rebuild and recovery," he notes.
Advocating for State & Federal Assistance
Like Corman, Hamilton too views a cyberattack that disrupts operations as existential for healthcare providers that are already operating on thin margins.
Corman advises administrators and top management at smaller and rural healthcare systems to advocate for assistance from state and federal authorities. "To aid in minimizing risk, these systems should engage their regional CISA and HHS resources along with the FBI," Corman notes. They can also focus on prioritizing patching of CISA's Known Exploited Vulnerabilities and take advantage of some of the free cybersecurity tools that CISA offers such as Cyber Hygiene Scanning (CyHy) and Cyber Essentials.
Hamilton says healthcare IT teams need to limit employee access to the Internet from a healthcare environment as much as possible. "Use the analogy of a control room that operates a dam that generates power — no Internet access, period," he says. "Most attacks start with user action and limiting that access can have an outsized effect on prevention."