FRESNO – As cyber and ransomware attacks on U.S. hospitals continue to increase, researchers are saying that the circumstance should be categorized as a “regional disaster” as the impacts hurt more than just affected hospitals. Fallout from the situation has left some unaffected hospitals to operate under a surge of new patients.
According to a Dec. 29, 2022 article in the Journal of the American Medical Association (JAMA), from January 2016 through December 2021, there were 374 ransomware attacks on U.S. healthcare organizations. These attacks compromised the personal health information (PHI) of nearly 42 million patients.
The Times asked Kaiser Permanente Fresno Medical Center to comment on what defenses the hospital has in place to protect PHI. Jordon Scott, senior media relations and public relations representative, said that – owing to the sensitive nature of the subject – Kaiser could not discuss the situation.
Kaiser issued the following statement: “Kaiser Permanente is committed to protecting the confidentiality of our members’ and patients’ information. We regularly assess and monitor our security systems and pay close attention to security enhancements as well as the latest technologies to help protect our data.”
The Times reached out to Adventist Health and Kaweah Health Medical Center for comment but did not get a response as of press time.
A REGIONAL DISASTER?
Check Point Research has noted that from 2021 through 2022, cyberattacks worldwide have increased by 38%. Check Point Research is the leading cyber threat intelligence to Check Point Software Technologies, a multinational software provider of IT security.
In May 2021, the University of California San Diego (UCSD) Health Center was slammed with patients. According to a National Public Radio Article published June 25, the influx was not due to COVID or a multivehicle accident. Hackers had brought down the computer network at Scripps Health, a hospital located near UCSD. With Scripps out of operation, patients descended on UCSD.
Dr. Christian Dameff, UCSD’s medical director of cybersecurity, co-authored a study that appeared in the May 2023 volume of JAMA. The study found that hospitals, such as UCSD Health Center, located near a compromised facility such as Scripps Health may see increases in patients and may “experience resource constraints affecting time-sensitive care for conditions such as acute stroke.”
Because cyber or ransomware attacks have the potential to shut down a facility, Dameff and his co-authors believe this creates a domino effect on other hospitals, disrupting patient care, over burdening staff, taxing resources and causing serious—even dangerous—delays. For these reasons, the authors say these attacks should be considered regional disasters.
M&As AND PHISHING
Brian Horton is the CEO of Breadcrumb Cybersecurity. The company has offices in San Jose, Boston and Fresno.
For security reasons, Horton did not identify the hospitals for whom his company has provided services. But he identified two vulnerabilities many hospitals share and that “threat actors” exploit, which are mergers and acquisitions as well as staff emails. A threat actor is a term used to describe a person or group of people who take part in harming aspects of the cyber realm, like computers, systems, networks, etc.
According to Horton, the healthcare landscape is ever changing. Larger organizations acquire smaller ones or organizations merge, creating new business entities. This state of flux makes it difficult for IT departments to reconcile the disparity of technology that inevitably results when two organizations, each with its own computer system, merge.
“The totality of information is huge,” Horton said. “Billing, labs, third party applications, patient information, patient portals. All of these data platforms can be vulnerable.”
Horton said Breadcrumb takes a standardized process when attempting to reconcile disparate data sources.
“First, we must unearth the data,” he said. “We must identify where the data is stored. Then we must identify the difficulties in place (relating to where the data is housed).”
Threat actors also exploit staff emails. Horton said phishing emails – which are a type of scam used by cyber attackers to deceive people, along with phishing text messages – account for 75% of the fraud associated with cyber and ransomware attacks.
“A standard attack may target everyone in the company,” he said. “Threat actors cast a wide net.”
What’s changed, he said, is these individuals have become savvier. Horton said since 2019, there has been an increase in the number of phishing attacks that target specific individuals, which makes it difficult for IT departments to stay abreast of.
A CHANGING M.O.
A troubling reality for hospitals is hackers have changed how they target facilities. According to a report published on the American Hospital Association (AHA) website, hackers have expanded their attacks to include medical devices. The report notes that the 2017 WannaCry ransomware attack in the U.K. infected 1,200 diagnostic devices, which resulted in five hospitals closing their emergency departments and diverting patients to other facilities.
According to AHA, WannaCry should not be viewed as an isolated incident; rather, the attack essentially ushered in a new generation of cyberwarfare. AHA noted that WannaCry was a coordinated, global attack that struck companies and organizations in 150 countries.
According to the FBI, it was the first known attack to target medical devices. Lastly, it was one of the first acknowledged state-sponsored attacks; and the FBI and the Department of Homeland Security determined that the attack originated in North Korea.