The cyber diagnosis? Risky, expensive, and damaging.
What happened on a recent Sunday morning could be compared to cancer that spreads from one part of the body to another, affecting everything around it at the same time.
In this case, the ransomware slipped quickly through hundreds of servers and thousands of devices used to treat hospital patients.
Doctors and nurses found themselves essentially locked out of the tools of their trade. And then the tools went dark altogether.
The CEO explained how the IT department responded to this spreading ransomware infection:
"As a result, we suspended user access to information technology applications related to our operations."
The hospital then canceled all "urgent surgical cases" and all radiology exams. And it diverted many emergency room patients at a time when staffed hospital beds are perhaps more important than ever.
What did it do next? It paid the ransom.
All of this happened the same week that a large healthcare provider announced an eye-popping $100 million impact from its recent ransomware attack.
This is the human and financial toll of ransomware attacks against healthcare.
Hospital ransomware attack: patient impact
By some standards, Memorial Health System is small. It has approximately 3,000 employees stretched across three hospitals and dozens of outpatient clinics in Ohio and West Virginia.
However, at a time when space in hospitals is at a premium because of the COVID-19 Delta variant, the impact of a cyberattack keeping patients away from hospital beds cannot be overstated.
In addition to canceled surgeries and radiology appointments, five days after the attack started, patients are still being diverted.
Memorial's CEO, Scott Cantley, explains why:
"It is in the best interest of all other patients to be taken to the nearest accepting facility. If all area hospitals are on diversion, patients will be transported to the emergency department closest to where the emergency occurred. This diversion will be ongoing until IT systems are restored."
Hospital group pays ransom to attackers
Part of restoring the hospital's thousands of servers and devices is happening because the organization decided to pay a ransom to the cybercriminals.
The CEO announced that news at a press conference this week:
"We have completed an agreement and received the keys to unlock our servers and begin to process recovery."
Negotiations, Cantley says, that were made possible through its insurance carrier. And now restoring its systems is underway:
"We are following a deliberate, systematic approach to bring systems back online securely and in a manner that prioritizes our ability to provide patient care. This could happen as early as Sunday."
However, the CEO says it will take weeks to unlock every single device that was encrypted by ransomware.
Now, here is a question: how much does a week's worth of downtime cost a healthcare network?
In this case, we do not know. However, Scripps Health just announced a nine-figure impact from its recent ransomware attack.
Scripps Health ransomware losses top $100 million
In a filing with the SEC, Scripps Health explained to investors how its 2021 ransomware attack that disrupted services for 25 days will cost more than $100 million.
"On May 1, Scripps experienced a significant cyber security incident. We took immediate action to contain the threat and help reduce disruption to patient care.
These steps included shutting down many of our systems, initiating emergency manual down-time procedures, initiating an investigation, and notifying federal law enforcement.
In addition, computer consulting and forensic firms were engaged to assist in our investigation and restoration of systems. All systems were restored by May 26, 2021.
Total estimated revenue loss and incremental expenses incurred due to the cyber incident is approximately $112.7 million through June 30th."
In its filing, Scripps says the cost breakdown includes lost revenue of $91.6 million and incremental costs incurred to address the cybersecurity incident and recovery at $21.1 million.
The company anticipates insurance coverage will reimburse the company for about $20 million, which is a fraction of the financial impact.
Healthcare sector unprepared for ransomware surge
The original COVID-19 surge and the Delta variant have both created trouble for hospitals; however, most have contingencies for addressing public health emergencies.
Ransomware attacks against hospitals are also surging, but new research indicates that the healthcare sector remains largely unprepared.
Phillips and CyberMDX just published their Perspectives in the Healthcare Industry research. The study found the following:
- 48% of hospital executives reported either a forced or proactive shutdown in the last six months as a result of external attacks or queries.
- Despite continuing cyberattacks against healthcare and roughly half of respondents experiencing an externally motivated shutdown in the last six months, more than 60% of hospital IT teams have "other" spending priorities and less than 11% say cybersecurity is a
high priority spend. - When asked about common vulnerabilities such as BlueKeep, WannaCry and NotPetya, the majority of respondents said their hospitals were unprotected. 52% of respondents admitted their hospitals were not protected against the BlueKeep vulnerability, and that number increased to 64% for WannaCry and 75% for NotPetya.
And that is a diagnosis for continued ransomware risk in healthcare.
These factors reveal why both patients and profits can suffer while cybercriminals take their cryptocurrency and run.