In the fall of 2021, Johnson Memorial Health staff hope they can finally catch their breath. They just came off a week-long surge in covid-19 hospitalizations and deaths fueled by the Delta variant.
But at 3am, Friday, October 1st, the hospital CEO’s phone received an emergency call.
“My director of nursing said, ‘Well, it looks like we’ve been hacked,'” said David Dunkle, CEO of the Franklin, Indiana, Health System.
The information technology team at the Johnson Memorial has discovered that a ransomware group has infiltrated the health system’s network. Hackers left ransom notes on each server, demanding that the hospital pay $3 million in bitcoin within days.
The ransom note was signed by “Hive,” a prominent ransomware group that targeted more than 1,500 hospitals, school districts, and financial firms in more than 80 countries, according to the Department of Justice.
The Johnson Memorial is just one of the victims of a wave of cyberattacks targeting US hospitals. A study found that cyberattacks on state healthcare facilities more than doubled from 2016 to 2021, from 43 attacks to 91.
After a breach, the focus is often on the risk of confidential patient information being exposed, but these attacks could also cost hospitals millions of dollars in the months to come , and can also cause interruptions in patient care, potentially life-threatening.
Following its own attack, the Johnson Memorial staff suddenly had to revert to low-tech patient care. They rely on pen and paper for medical records and notes and send runners between departments to take orders and deliver test results.
Hours after the 3am call, Dunkel was on the phone with cybersecurity
The most pressing issue on his mind: his hospital Should a $3 million ransom be paid to minimize disruption to its operations and patient care?
Dunkel fears the U.S. Treasury Department’s Office of Foreign Assets Control could fine the hospital if it pays a ransom to an unknown entity on the sanctions list.
Dunkel also fears possible lawsuits as hackers claim they have stolen sensitive patient information, which they will post to the “dark web” if Johnson Memorial Hospital doesn’t pay. Other health data breaches have led to class action lawsuits by patients.
The Office for Civil Rights within the Department of Health and Human Services can also impose financial penalties on hospitals if patient data is protected by: federal privacy laws being breached.
“It was information overload,” Dunkel recalls. All the while, his hospital was filled with patients needing care and staff who didn’t know what to do.
Within a month of the October 2021 cyber attack, Johnson The memorial had to revert to using pen and paper to update medical records. (Farah Yousry / Side Effects Public Media)
In the end, the hospital did not pay the ransom. Leaders decided to disconnect after the attack, take stock, and then rebuild, which meant shutting down multiple critical systems. This disrupted the normal functioning of various departments.
The emergency department diverted ambulances carrying patients to other hospitals because staff were unable to access patient medical records. In the maternity unit, newborns often wear safety bracelets on their lower legs to prevent unauthorized adults from moving the baby or leaving the baby in the maternity unit. When the tracking system is turned off, staff personally guard the unit door.
During one delivery, nurses struggled to communicate with an Afghan refugee who had arrived from a nearby military post to give birth. The remote translation service they normally use was inaccessible due to a cyber attack.
“Stressed nurses are using Google Translate to communicate with this woman in labor,” said obstetrics manager Stacey Hummel. “It’s crazy.”
Hummel says it’s the toughest challenge she’s ever faced in her 24 years in the industry, even worse than the covid-19 pandemic. As the cyberattack unfolded, her care team was praying, “Please don’t let the fetal monitor go down.”
And then they did.
Subscribe to KFF Health News’ free morning briefing.
Clinical staff suddenly can no longer receive digital notifications outside the delivery room that help them monitor vital signs fetus. This means critical data points, such as dangerously low heart rates or high blood pressure, may go unnoticed.
“When that happens, we have to have a nurse in every room,” Hummel said. “So staffing is a nightmare because you have to stand there and look at the monitors.”
The hospital’s billing department is also down. Months later, they were unable to pay their insurance plans in time. An IBM report estimated that the average cost of each cyber attack on a hospital is close to $10 million (excluding any ransom payments) — the highest of any industry. As a result, cyberattacks pose an existential threat to the survival of hospitals across the country, hospital leaders said.
Cyber insurance has become an important part of hospital budgets, according to John Riggi, national advisor to the American Hospital Association on Cybersecurity and Risk.
But some organizations found that insurance coverage was not comprehensive, so they faced millions of dollars in losses even after an attack. Meanwhile, insurance premiums can skyrocket after a cyberattack.
“Government can certainly help in the area of cyber insurance, maybe create a national cyber insurance fund, like Post 9/Rigi said: “11, when people can’t get insurance against terrorist attacks , please provide emergency financial assistance. “
The federal government has taken steps to address the threat of cyberattacks on critical infrastructure, including a training and awareness campaign by the Federal Agency for Cybersecurity and Infrastructure Security. Multiple ransomware groups, including Hive, the group that hit the Johnson Memorial.
Today, the Johnson Memorial is up and running again. But Rick Kester, the hospital’s chief operating officer, said it took nearly six months Time to return to near normal operations.
“We worked…every day, every day in October. Some days, 12, 14 hours,” Kester said.
The hospital is still dealing with some ongoing bills. Dunkel said its revenue cycle has not fully recovered, with the filing nearly two years ago Cyber attack insurance claims remain unpaid. Hospital annual insurance premiums have risen 60% since the incident.
“The cost increases over the past three or four years have been unbelievable, And … it can be even more frustrating when your claims aren’t being paid,” he said. “We’re investing so much in cybersecurity right now that I don’t see how small hospitals can afford more long [operating] time. “
This week, a hospital in Illinois could become the first to shut down due to a cyber attack. Suzanne Stahl, chairman of the hospital’s parent company, SMP Health, said, “Due to a number of factors, the hospital was unable to continue operating, such as the covid-19 pandemic, St. Suffering from cyber attacks and staff shortages. “
The hospital suffered a ransomware attack in 2021 that prevented it from collecting insurance bills, said Linda Burt, the hospital’s associate dean for quality and community services. Subsidy or Medicare has been on for more than three months. Burt said the inability to file claims has put the hospital in a “financial spiral.”
This article is from partners including Side Effects Public Media, NPR and KFF Health News.
