Healthcare System Falls Victim to Ransomware Attack, Reinforces Need for Emergency Preparedness Nationwide
These extend beyond health emergencies, such as the COVID-19 pandemic, to include dangerous and often costly cyberattacks. Take last week’s ransomware attack on Prospect Medical Holdings, a chain that owns 16 hospitals and over 150 outpatient facilities in four states. The situation forced the organization to take its national computer systems offline, causing some locations to close temporarily and patients to miss certain non-emergency services.
According to ASPR-TRACIE, which strives to fill gaps in healthcare system preparedness capabilities by sharing information and promising practices during planning efforts, cyberattacks highlight the need for healthcare organizations of all sizes and types to implement cybersecurity best practices. They also emphasize the need for facilities to conduct robust planning and exercising for cyber incident response and consequence management.
Ransomware, as explained by the U.S. Cybersecurity & Infrastructure Security Agency (CISA), is a highly disruptive form of criminal cyberattack. Hackers attempt to encrypt a victim’s computer files and demand payment — usually in cryptocurrency — for a program that may make them accessible again. Regardless of whether the victim pays, such attacks can leave victim organizations scrambling for days or even weeks and months to bring their systems back online.
Consider the ransomware attack on CommonSpirit Health, a chain of 140+ hospitals, in October 2022. The personal data of more than 623,700 patients was exposed, leaving the company no choice but to pause computer operations across the country. The incident resulted in an estimated loss of $160 million and two class-action lawsuits as of June 2023.
Unfortunately, no healthcare organization is immune to today’s advanced cybersecurity threats. In fact, and as per CISA, such operations may be even more susceptible than others. How so? Health information technology (IT) provides critical, life-saving functions and consists of connected, networked systems that leverage wireless technology, leaving such systems more vulnerable to cyberattacks.
While a “catch-22” situation, the healthcare industry must prioritize cybersecurity and invest when and where possible to protect patients’ health and personal data. This includes adopting the preparedness perspective of “when” not “if” a cybersecurity incident will occur and incorporating a response to cyberattacks into an organization’s emergency preparedness plan. The Joint Commission, a global driver of quality improvement and patient safety in healthcare, requires such plans.
Given that cybersecurity firm Recorded Future is reporting the recent hack into Prospect Medical Holdings as the 157th cyberattack on a U.S. healthcare organization this year, time is of the essence.
Cybercriminals work 24/7/365. So, if it’s been a while since your hospital or healthcare facility reviewed its plans for emergency preparedness, including cyberattacks, move it to the top of your list. Doing so will help your organization maintain its quality of care and safeguard patient data, its reputation, and the bottom line.