The ransomware attack on St. Joseph’s / Candler which was first detected on June 17 is part of a growing trend of such attacks in industry and government, but particularly against healthcare providers.
“The truth is that there is a lot of progress on the side of hackers, how they can gain access to these systems,” said Soumitra Bhuyan, assistant professor at the Edward J. Bloustein School of Planning and Public Policy. Rutgers University. . “It’s really scary, isn’t it? It’s evil. No doubt about it.”
Ransomware is software that encrypts a victim’s files. Once hackers slip it into a system, they demand ransom before restoring data. St. Joseph’s / Candler revealed few details of the recent attack. They are silent about the amount of the demand, what time or how the attack was discovered, refusing even to confirm the existence of a ransom note.
But health system officials confirmed they detected the malware on the morning of June 17 and immediately took precautions to limit its damage. This meant moving to backup systems that included paper records. This has slowed down the workflow in some areas, although spokesperson Scott Larson said the system had not canceled any surgeries or procedures.
Cancer treatment appeared to be the hardest hit, with patients initially being asked to call to check appointments. On June 23, Larson reported that oncology departments were back on schedule.
CEO Paul P. Hinchey released the following statement on Friday morning, more than a week after the attack was first detected:
“We continue to work diligently to restore operations as quickly and safely as possible. St. Joseph’s / Candler takes a deliberate and methodical approach to bringing systems back online securely and in a way that prioritizes our ability to provide patient care. We continue to make progress – St. Joseph’s / Candler is admitting patients and performing surgeries, and our oncology services are currently on schedule.
“I recognize this is a difficult situation and I regret any frustration, concern or inconvenience this has caused our patients and the community. But through this challenge, I continue to be deeply proud of the dedication of our staff and their constant focus on providing high quality care to our patients. “
The investigation into the attack is ongoing, with the FBI and other law enforcement involved. That the healthcare system has not yet returned to normal is expected in cyberattacks like this one. The typical time to identify and resolve a data breach in any industry was 280 days in 2020, according to the IBM 2020 Data Breach Security Cost Report.
“I think (in) the healthcare industry it takes a lot longer, basically, to identify that there is a data breach,” Bhuyan said. “On average, it takes around 96 days to identify the data breach. And it can take up to a year. There are hospitals that haven’t identified that a breach has occurred for a year.”
Attacks on healthcare explode
Health systems are vulnerable for several reasons, Bhuyan said.
On the one hand, patient data is valuable.
“Patient medical data is actually worth a lot more than other types of black market data,” Bhuyan said. “We are very sensitive to our health data.”
Hackers are aware of this sensitivity.
And healthcare is complex, with systems like St. Joseph’s / Candler having thousands of employees regularly logging into laptops, desktops, smartphones, as well as diagnostic devices and computerized processing.
“Providers use health data to ensure that all parties that provide patient care – doctors, nurses, all other imaging departments – the data is shared. And each party has access to the data, so more parties have access to the data like compared to other industries, right? The violation can occur at any level, ”Bhuyan said.
Bhuyan also noted that in health facilities, doctors and management exercise their authority. Doctors want quick access to medical records and don’t always appreciate spending time on precautions like two-factor authentication.
“This dual power structure is something that makes it a bit difficult for people in management or IT to actually push security measures over some of the other industries where they maybe have a huge advantage,” did he declare.
Ransomware attacks in healthcare attacks nearly doubled year over year, from 50 in 2019 to 91 in 2020, a March 2021 article in the HIPAA Journal declared. Bhuyan cited even higher figures for all types of healthcare data breaches.
“The number of reported healthcare breaches, maybe due to a cyber attack or sometimes they can be as simple as someone having lost the laptop with patient data on it, it was actually around 600 in 2020, a peak of around 55% from 2019, ”he said.
The pandemic has made matters worse, with working from home opening up more possibilities for attacks, as has the presence of new temporary workers like mobile nurses who might not be as familiar with safety protocols. Innovations such as makeshift treatment zones have been helpful in tackling COVID, but may also have increased cyber vulnerability.
Ransomware attacks are not really new, the first being recorded in 1989. However, they are increasingly sophisticated. Around 2016, ransomware evolved into a more threatening form.
“These new ransomware variants use strong encryption and remove or encrypt backup files to ensure that data cannot be easily recovered without paying the ransom,” the recent HIPAA Journal article said.
Costs are high and patients pay
The HIPAA Journal put the price of last year’s ransomware attacks on healthcare in the United States at $ 21 billion.
The attacks occur in all types of hospitals, both independent like St. Joseph’s / Candler and those that are part of a national network like HCA’s Memorial Health. Likewise, St. Joseph’s / Candler’s non-profit status does not prevent an attack either.
The denominational system is the largest in the Savannah area, with its two mainstay hospitals, Candler in downtown Savannah and St. Joseph’s on the south side of Savannah, with a total of 714 beds. The system generated around $ 64 million in revenue in 2019 and net assets of over $ 337 million, according to its report to the Internal Revenue Service.
Hospitals have little recourse other than paying the ransom in cases where records are violated and patient safety is compromised, Bhuyan said.
The HIPAA Journal reports that “$ 15.6 million in ransom was demanded from healthcare organizations in the United States in 2020, and $ 2,112,744 was reportedly paid to ransomware gangs in 2020”. The highest costs are often related to downtime, data recovery, and system recovery.
Who Pays for Cyber Attacks on Healthcare? Everybody.
“(Hospitals) increase the cost of services, once they increase the cost of services, the insurance company pays more money for the services, once the insurance company pays for more modular services, they increase the premium, ”Bhuyan said. “So it’s actually a vicious cycle.”
Cyber security insurance is available but can be a double-edged sword, Bhuyan said, as the coverage can cause some organizations to let their guard down.
Bhuyan expects health cybersecurity challenges to increase in the near future, fueled by the growth of telehealth during the pandemic.
“Telehealth will be one of the main targets, along with medical devices, remote medical devices, maybe the ones that patients use for different conditions,” he said. “It can be the weak links that can be used by attackers to get into the main system.”
Mary Landers is an environment and health reporter for the Savannah Morning News. Contact her at 912-655-8295. Twitter: @MaryLandersSMN