Ardent Health Services, a Nashville-based healthcare provider, fell victim to a ransomware attack on Thanksgiving Day morning, November 23, that disrupted its IT operations and forced hospitals to divert emergency room patients to other facilities. The incident highlighted the growing threat of cyberattacks to healthcare organizations, which are increasingly reliant on technology to deliver care.
Ardent's IT team detected suspicious activity on its network in the morning as families were prepping for their Thanksgiving feasts. The attack quickly escalated, and the company was forced to take its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet, and clinical programs.
This disruption significantly impacted Ardent's operations, causing delays in patient care and forcing some hospitals to reschedule elective procedures.
"In an abundance of caution, our facilities are rescheduling some non-emergent, elective procedures and diverting some emergency room patients to other area hospitals until systems are back online," the company said in a news release.
Ransomware criminals often wait until a major holiday or long weekend before launching attacks, looking to take advantage of the fact that fewer security employees likely will be on duty.
[RELATED: The Holiday Hacker Case Study]
Hackers have been targeting hospital chains since ransomware became a major cybercrime trend in 2019. In June, St. Margaret's Health, a hospital located in Spring Valley, Illinois, announced its closure due to a cyberattack that occurred in 2021. One of Spain's leading hospitals, Hospital Clinic de Barcelona, was hit by a ransomware attack on March 5 of this year that affected its computer systems and forced the cancellation of thousands of appointments and surgeries.
"Ransomware attacks against the healthcare industry have a unique and often overlooked risk in the form of user health records. Many ransomware attacks today involve exfiltration of victim data," said Dave Monnier, CIO of Team Cymru. "In this case, there are two victims. The health provider may have suffered a technical loss, but their customers, the patients, are also victims."
"Imagine a scenario where it was discovered a powerful decision-maker was secretly sick. What might that do to things like stock value, or even staff retention?" Monnier continued. "A few percentage slide in company value on the stock market could be in the hundreds of millions if not billions of dollars. The implications of exposed health records aren't easily quantified for most people, but for some, their records being exposed can impact many more people than just the person whose record was exposed. "
Hospital administrators are quick to point out that, to date, there have been no known cases in which a ransomware attack on a healthcare facility has been proven to lead to a patient's death.
"However, there are two well-documented cases that come very close," said Kip Boyle, vCISO, Cyber Risk Opportunities LLC. "The first one was in 2020: An Alabama woman sued her hospital, Springhill Medical Center, which had been the victim of a ransomware attack, after her newborn baby died. The mother said in the case that the hospital didn't tell her that hospital computers were down because of a cyberattack, and subsequently gave her severely diminished care after she delivered her daughter."
"In the other case, also in 2020, the failure of IT systems at a major hospital in Duesseldorf, Germany, resulted in a woman's death after her ambulance had to be diverted to another city when the closest emergency room was shut down due to ransomware attack," Boyle continued. "Since there is no sign of ransomware slowing down anytime soon, it's likely we'll continue to see patient deaths associated with these cyberattacks."
Here are some additional comments from experts in the cybersecurity vendor community:
Saeed Abbasi, Manager of Vulnerability and Threat Research at Qualys:
"Implementing blockchain technology in healthcare can enhance data integrity by providing a secure, tamper-evident storage solution for sensitive health records. This approach adds an extra layer of security against unauthorized data alterations. Also, conducting regular, unannounced cybersecurity audits and drills is vital for keeping the system resilient. These proactive measures aid in evaluating the effectiveness of existing security protocols and the preparedness of response teams, ensuring a robust defense against potential cyber threats."
Claude Mandy, Chief Evangelist, Data Security, at Symmetry Systems:
"The challenge for most ordinary doctor's offices is that sensitive information must be shared to protect human lives, however, they don't have the security capabilities to adequately protect this data from unauthorized access or monitor suspicious activity. This information has historically been stored almost everywhere, and for most, they lack Zero Trust capabilities to enforce better authentication before giving access to medical records. As a result, they have historically had no visibility of this information, limited ability to control data access. This has required multiple tools to get some semblance of security, rather than leveraging modern data security capabilities to instantly and accurately identify and inventory all of your data and identities.
Cybercriminals are focused on monetizing access to data through impacts to the availability of lifesaving data, or increasing the threat of releasing sensitive, and sometimes embarrassing, data to the public. Nation-states may take similar tactics to coerce users to perform activities in their interests. Medical records have become obvious targets as a result."
Team Cymru's Monnier added:
"From a threat intel perspective, aside from the usual good advice angle, the key for many of these institutions is to have a solid understanding of what 'normal' looks like on their network. If an intruder gains access to your network and exfiltrates gigabytes of data, you should see it; if not by using exfiltration detection methods like watermarks in documents, at least in knowing that it's odd for a host to suddenly start transiting data at that volume to an off-site location.
Intelligence on their business operations and understanding that baseline, as unexciting as it sounds, really goes a very long way at getting in front of these kinds of incidents. It takes time to exfiltrate data. All of that time could be used on detection."