Columbus Regional Health is on high alert after a wave of cyberattacks hobbled at least three nearby hospitals in recent weeks that have, in some cases, disabled computer systems, forced staff to revert to pen-and-paper record-keeping and disrupted patient care.
The attacks, which CRH officials said appear to be targeting healthcare providers and first responders, have swept through southern and central Indiana over the past several weeks, ranging from data theft to ransomware attacks or other breaches.
Over the past two weeks, cyberattacks have been reported at Johnson Memorial Health in Franklin and Schneck Medical Center in Seymour. In August, Eskenazi Health in Indianapolis was struck by a cyberattack. It is not clear whether the attacks are related.
So far, CRH has not fallen victim to a cyberattack, though the hospital system saw a “record number of attempts” to breach its computer systems last month, said CRH spokeswoman Kelsey DeClue.
In response, CRH officials said the hospital system has been putting in place additional cybersecurity measures, adding that it is “insane” how often the hospital is being targeted. However, hospital officials declined to go into any details on what additional measures were being taken, citing security concerns.
“We’re certainly always on alert,” DeClue said. “…The (IT) teams are always finding a new way that somebody is trying to get in.”
The increased measures by CRH come as cyberattacks targeting the healthcare sector have spiked during the pandemic, with the FBI and two other federal agencies warning last year that they “had credible information of an increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”
The threats included data theft and ransomware attacks, which is when hackers gain access to sensitive data and threaten to publish it or block access to it unless a ransom payment is made.
Cyberattacks against hospitals in Indiana are not new, but rarely has a series of attacks impacted the operations of multiple hospitals in the Columbus area in such a short period of time.
In August, “sophisticated cyber criminals” penetrated Eskenazi Health’s computer systems and stole the personal and health care data of patients and employees, the hospital said in a statement Oct. 1. The attack resulted in the hospital diverting ambulances to other facilities.
Some of that data, the hospital said, was posted on the dark web — including names, dates of birth, addresses, medical diagnoses, Social Security numbers, passport numbers, facial images, credit card information, among other information, the statement said.
A few weeks later, Schneck Medical Center in Seymour suspended all IT operations “out of an abundance of caution” after being hit with a cyberattack.
The hospital said at the time that “third-party security partners” were attempting to restore operations as soon as possible. As of Friday, Schneck had restored “some computer operations,” including Meditech core operations, enterprise printer systems and its picture archiving and communications systems, according to Becker’s Health IT.
A Schneck spokesperson told Becker’s Health IT on Friday that the hospital was “working system by system” to restore computer operations as part of a “thorough evaluation” of its systems.
Just a handful of days later, Johnson Memorial Health was hit with a cyberattack that resulted in the disabling of its computer system, forcing staff to fill out patient records on paper, cutting off electronic communication with other healthcare agencies and preventing the hospital from being able to report staffing and bed counts in real time to local emergency medical providers, The Franklin Daily Journal reported.
CRH has not been flooded with patients being diverted from those hospitals as a result of the cyberattacks, but helped Schneck with radiology and cancer care services for some patients, DeClue said.
Despite the flurry of recent attacks, it’s hard to estimate how many healthcare organizations have been hit by similar attacks, though estimates are staggering.
One recent study by technology research and comparison website Comparitech suggested that ransomware attacks impacted more than 600 healthcare organizations — and more than 18 million patient records — last year.
A survey by U.K.-based security firm Sophos found that 1 in 3 healthcare organizations worldwide were struck by ransomware attacks last year, with an average total cost to the organization of $1.27 million, taking into consideration network downtime, employee time, the ransom paid, among other expenses.
The average ransom paid was $134,304. But even after paying the ransom, healthcare organizations, on average, were only able to recover 69% of the data that was encrypted by hackers, the survey found.
And most healthcare organizations that weren’t hit by ransomware attacks last year expect to be at some point in the future, according to the survey. Some said they are already experiencing an increase in attempted attacks.
