Business Continuity Management / Disaster Recovery , Critical Infrastructure Security , Cybercrime
Cyberattacks Disable IT Networks at 2 Indiana HospitalsSome Patients' Care Previously Postponed Due to COVID-19; What Happens Now?
Two Indiana hospitals say their IT systems are disabled as they recover from cyberattacks suffered last week.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
Both hospitals in recent weeks have had to divert patients or postpone elective procedures as COVID-19 cases surged in the state, but so far neither have said whether patient care is being affected as they deal with the data security incidents.
The two hospitals - Johnson Memorial Health in Franklin and Schneck Medical Center, located about 40 miles away in Seymour - are also the latest healthcare providers in Indiana to be hit with cyberattacks suspected to potentially involve ransomware.
Indianapolis, Indiana-based Eskenazi Health, which operates a public healthcare system, was hit in early August with a ransomware attack that also involved the exfiltration of patient and employee data, some of which was later posted by hackers on the dark web (see: After Ransomware Attack, When Must Patients Be Notified?).
Eskenazi began notifying about 1,000 affected individuals last week.
Johnson Memorial Hospital Attack
Johnson Memorial Health, a 125-bed facility, says in a statement posted on its website that it is working with the FBI and cybersecurity experts to investigate a cyberattack that occurred on Saturday.
As a result of this attack, the computer network at Johnson Memorial has been disabled, the statement says. "We are working as quickly as possible to restore normal computer operations," the hospital says.
"However, these types of attacks take time to fully resolve and it may be several days before the JMH computer system is fully operational."
A receptionist answering the phone at Johnson Memorial on Monday told Information Security Media Group that "all" the hospital's IT systems were still down. But the organization did not immediately respond to ISMG's request for more details about the incident and the entity's recovery status.
Johnson Memorial's last public statement over the weekend said that at the time, no appointments or surgeries had been canceled. "We ask all patients scheduled to receive services Monday to report to JMH as normal. We do recommend patients arrive a bit earlier than usual, as registration processes may be slower than on a typical day," the weekend statement said.
In early September, however, Johnson Memorial Health had begun to periodically divert or postpone some patients' care as the organization dealt with a surge in COVID-19 cases, according to local media site Daily Journal.
Schneck Medical Center Incident
Schneck Medical Center, a 114-bed hospital, says in a statement, that it learned on Sept. 29 that it had been the victim of a cyberattack affecting its organizational operations.
"Out of an abundance of caution, access to all IT applications within our facilities were suspended," the statement says. "We are in the process of enhancing our IT security protocols. Third-party security partners have also been engaged to restore operations as quickly as possible."
The statement notes that "most services" at Schneck are unaffected by the incident.
"We are working with IT security experts to methodically investigate the situation, are in the process of notifying law enforcement, and are taking appropriate actions to safely and quickly resolve any disruption to our systems," the statement says.
But Schneck in early September also began postponing some elective patient surgeries requiring overnight hospital stays due to a surge in COVID-19 cases.
The hospital declined ISMG's request for comment on Monday, including the status of the entity's recovery from the cyberattack and whether patient appointments and procedures were still being postponed due to the COVID-19 surge or affected by the security incident.
The attacks on Johnson Memorial and Schneck Medical Center highlight the additional risks that healthcare providers and their patients potentially face when more than one facility in a region is combating cyber-related outages while also dealing with the strain of COVID cases.
A report issued Friday by the Cybersecurity and Infrastructure Security Agency notes that during regional COVID surges, a region’s residents could temporarily lack access to medical care if all facilities in an area reach patient capacity.
But "external pressures, such as ransomware or attacks on healthcare delivery supporting infrastructure, can degrade operations in a time of crisis or urgency" even further, CISA warns.
Feeling the Sting
Even prior to COVID-19 and the rise of ransomware attacks on healthcare sector entities, multiple regional hospitals have felt the sting of cyberattacks targeting one specific entity in the area.
For instance, a 2014 hacktivist distributed denial-of-services attack directed at Boston Children's Hospital computer network not only knocked the pediatric hospital off the internet for two weeks, but also caused internet disruptions at several other Boston hospitals for days, the U.S. Justice Department said in 2018 (see: Boston Children's Hospital DDoS Attacker Convicted).