Ohio Hospital Still Struggling One Week After CyberattackHow Can Other Healthcare Entities Better Prepare for Disruptive Attacks?
A Portsmouth, Ohio-based hospital is still struggling to fully recover - continuing to cancel and postpone some patient care services - one week after it revealed that hackers had gained access to some of its servers in what it said appeared to be a "targeted cyberattack."
Southern Ohio Medical Center revealed via social media on Nov. 11 that "an unauthorized third-party" had gained access to its servers, and that the 248-bed hospital was diverting ambulances with emergency patients to other hospitals, but still caring for patients already admitted.
By the next day, SOMC had stopped diverting ambulances, but throughout the week, including Thursday, was still canceling or rescheduling many patient care services, including sleep lab appointments, pulmonary function tests and outpatient rehab, as it continued to remedy its widespread outage, including email.
"We are working around the clock to get full functionality," a SOMC spokesman told Information Security Media Group on Thursday. He said the hospital hopes to complete recovery "as soon as possible," but he did not have a timeline on when that might happen.
The spokesman declined to discuss which IT systems were still affected and details of the attack, including whether it had involved ransomware or if threat actors had demanded a ransom, saying the incident was under investigation.
SOMC, which typically offers a range of healthcare services including emergency, surgical, outpatient and hospice care, noted on its Facebook page that it was working with federal law enforcement authorities and security firms to investigate the incident.
The SOMC situation is one among a growing victim list of recent cyberattacks on healthcare entities resulting in critical IT outages causing disruption to patient care services.
In August, Marietta, Ohio-based healthcare entity Memorial Health System was hit with an apparent ransomware incident that disrupted patient care services, prompting the organization to temporarily divert emergency care patients from three of its hospitals to other area facilities.
"Organizations need to practice response and recovery, including regular tabletop exercises that include senior leaders from the business and exercising of the restoration processes to verify they function as intended and are effective."
—Jon Moore, Clearwater
Also, a cyberattack in July on DuPage Medical Group, the largest multispecialty group practice in Illinois, caused a network system outage that among other issues, led to patients having difficulty calling their doctors’ offices and accessing online medical records.
In September, DuPage reported to federal regulators a data breach affecting more than 655,000 individuals tied to the hacking incident.
One of the most noteworthy attacks so far this year was a May ransomware attack on San Diego-based Scripps Health, which resulted in systems outages for nearly a month.
The California organization reported in August to financial regulators that the security incident had so far cost nearly $113 million, including $91.6 million in lost revenue. About $21 million is expected to be covered by insurance, the entity reported.
Several proposed class action lawsuits have been filed against Scripps Health in the wake of that incident (see: Lawsuits: Patients 'Harmed' by Scripps Health Cyberattack).
In June, Scripps Health reported the hacking incident to the Department of Health and Human Services as a HIPAA breach affecting more than 147,000 individuals.
In an extreme example of a cyberattack's disruption to patient care, a mother last year filed a malpractice lawsuit against Mobile, Alabama-based Springhill Medical Center, alleging that her baby suffered birth complications and later died as a result of a July 2019 ransomware attack on the hospital, which she says impeded clinicians' access to timely fetal monitoring and other systems during her labor (see: Lawsuit: Hospital's Ransomware Attack Led to Baby's Death).
Jon Moore, chief risk officer of privacy and security consultancy Clearwater, says that the silver lining in some of these recent high-profile healthcare sector attacks is that in the past six months, he's seen "a visible increase" in the number of organizations strengthening their security controls.
"This trend is being driven by the continuing ransomware and phishing attacks, increasing focus from investors, boards and senior leaders, and the more stringent requirements of cyber liability insurers," he notes.
But the bad news, he says, is that he still sees many organizations that continue to lag in their recovery-focused controls.
"The biggest mistake we see is not preparing and practicing before a critical system is lost," Moore says.
And often organizations prepare business continuity and disaster recovery plans without input from the business units, resulting in an inefficient allocation and prioritization of resources, he says.
"Planning and practicing recovery cannot be done effectively by the cybersecurity or IT teams alone. Senior leaders in the business and business units must also be engaged.
"We see plans and processes that are not tested and fail when organizations try to implement them under pressure. We see organizations lose precious time because governance of the recovery process is not documented and practiced, leaving questions about who is in charge of what."
According to Moore, the business continuity planning process should start with a business impact analysis to understand the criticality of systems to the business, the impact or cost of disruption of those systems and defined objectives for recovery, including the systems and data.
Next, the cybersecurity and IT teams need to develop business continuity and disaster recovery plans, including a backup strategy and processes that will achieve those objectives, he says.
"Finally, the organization needs to practice response and recovery, including regular tabletop exercises that include senior leaders from the business and exercising of the restoration processes to verify they function as intended and are effective."