Ransomware Attack Can Affect Hospitals Nearby, Create Havoc
By Greg Freeman
EXECUTIVE SUMMARY
A ransomware attack or other cyberattack can critically affect other hospitals in the community or health system. Hospitals should be ready to respond.
- Nearby hospitals may be overwhelmed with transfers and diversions.
- Patient records could be unavailable or incomplete.
- Work with other hospitals to develop a joint response plan.
If one’s response to a hospital in the community fighting a ransomware attack is only relief that it was not their facility, they could be in for a surprise. Even hospitals not hit by hackers can feel the ripple effect and suffer consequences.
It is common for a ransomware attack at one hospital to affect surrounding healthcare systems, says Layna Cook Rush, CIPP/US, CIPP/C, shareholder with Baker Donelson in Baton Rouge, LA. Depending on the extent of the attack, a hospital may be effectively unable to treat patients. For instance, a ransomware attack could impede surgical equipment or other devices that require use of the network.
“Additionally, if a hospital cannot access its patients’ electronic health records, it may not have the information necessary to treat those patients. Therefore, procedures may need to be rescheduled at neighboring hospitals,” Rush says. “If one hospital in a community is suffering a ransomware incident, other hospitals in the community may experience an influx of unexpected patients. This scenario is not one that hospitals may have prepared for in incident response planning, but it is one that should be given consideration.”
Another consequence of a ransomware attack that may be less obvious is the concern for migration of the malware from one hospital’s systems to other healthcare systems. It is not uncommon for healthcare entities to allow other providers direct access to their electronic medical records for the efficient and quick provision of care to their shared patients. That connectivity could lead to migration of the malware from the affected hospital to the other healthcare system’s network.
For this reason, if a healthcare organization learns that an entity with a direct connection to its network has suffered a cyber incident, it should quickly assess whether the connectivity between the two entities should be disabled, Rush says. Best practice would also be to implement and/or run its own detection software on its system to ensure its environment has not been tainted.
When a hospital is the victim of a ransomware attack, it may be able to restore records from its backup or decide to negotiate and pay the ransom to obtain the decryptor tool from the threat actor. In either scenario, there is a risk the data integrity is compromised because decryptor tools are not foolproof. Sometimes, backups fail to fully execute. The records that have been restored after a ransomware attack may be incomplete.
“Other healthcare providers in the community who may treat a shared patient and who request records from the impacted hospital may not receive a complete and accurate medical record. Errors in a patient’s medical record could result in inadequate or improper treatment of that patient,” Rush says. “Healthcare entities receiving records from another provider who recently experienced a cyberattack should consider procedures for checking the completeness and accuracy of the records received.”
Expect Attacks Nearby
The most valuable record on the dark web is a healthcare record — not financial or payment information, as most people assume, says Peter Halprin, JD, partner with Pasich in New York City. That means all hospitals should be prepared for a ransomware attack.
The attack will critically affect the target hospital and health system, but there also is a ripple effect. Even if these other nearby entities are not hacked, they will suffer from the ransomware anyway.
“The effect can be especially bad in an area that may be underserved, where that could be particularly challenging in terms of trying to care for patients,” Halprin says. “Hospitals and hospital systems will be trying to work with the resources that they have to treat a now-broadened patient load as a result of a ransomware attack.”
Healthcare organizations should carry cyber insurance that would help in these situations, Halprin notes. Not only can the insurance help with financial concerns, but the insurer can provide resources and connections to help protect from some of the damage caused by ransomware.
“In order to get cyber insurance in the first place, you have to be at a certain level of cyber preparedness. The insurers are really making folks jump through hoops to even qualify,” Halprin says. “That in and of itself can be a valuable process because it helps companies understand what at least a base level of security is to be insured.”
Plan to Change Operations
When a hospital is hit with a ransomware attack, all facilities in the community and the health system should be ready to change operations as needed, says Nick Puetz, managing director and global head of cyber strategy and transformation at Protiviti, headquartered in Menlo Park, CA. The situation is analogous to a natural disaster or other incident that inhibits the facility’s access to supplies, utilities, or digital information.
“It has impacted you operationally to a point that patient care is being directly [affected],” Puetz says. “Now, I’ve got to think operationally different about how I’m going about my day vs. how I would normally operate.”
Hospitals can feel the effects of ransomware even when the target was not a healthcare provider, Puetz says. In the 2022 Kronos attack, one target was a company that provided time management services to healthcare organizations around the world.
“They had an attack that took them down, and therefore all of their customers had to kind of go back into the Stone Age from a timesheet perspective,” Puetz says.
Do Not Assume Safety
The immediate effect when one hospital suffers a cyberattack is patient flow, with the potential for EMS dispatchers to start sending a greater proportion of patients to a non-affected hospital, says Alan Brill, senior managing director of cyber risk at Kroll in Secaucus, NJ. But there is another effect that is at least as important — and is not always considered.
“Don’t assume the attack is over. One hospital hit by ransomware is terrible, but the hackers know that if they can shut down multiple institutions with ransomware, their effect is multiplied, and those affected are more likely and more motivated to pay up and hopefully get back into normal operation,” Brill explains. “Once one hospital in an area is hit, every other institution in the area has to recognize that it’s at high risk of being the next victim.”
When another hospital is hit with ransomware or another a cyberattack, Brill advises establishing a liaison with the ransomware victim hospital to find out everything they know about. How did the ransomware come in? Was it phishing, or did someone insert a thumb drive into an unguarded PC? Was it an internet drive-by where someone visited a hostile site and ended up downloading an infected payload?
“This is something that should have you considering setting up a meeting of all the hospitals in the area and developing a protocol that provides for mutual information sharing and assurances that whatever a victim institution shares with the others will be kept in strict confidence,” Brill suggests. “You should consult with counsel on how to structure this, as you don’t want to find yourself in a situation where you share a piece of information your counsel believes should be kept confidential, and then it can be sought from other institutions with which you had shared attack information.”
Use that information to strengthen defenses, Brill advises. Send reminders to everyone in your organization about best practices for preventing an attack. Make sure backup files are up to date and not subject to encryption in a ransomware attack. Take potentially vulnerable systems offline, if possible, or consider putting another computer in front of it, perhaps protected with a web application firewall.
Hospitals also should look at any devices connected to the Internet of Things.
“Things ranging from auto-analyzers to imagers and even freezers that you use to store temperature-sensitive medications — any of those can be vulnerable to an attack,” Brill explains. “Hackers are well aware that they can add to a potential ransomware victim’s panic by disabling freezer alarms and increasing the storage temperature or shutting down a diagnostic imager or radiation treatment unit.”
This is a good time to take an inventory of what is connected to the network, Brill suggests. The IT team should be able to scan the networks to identify every device attached, whether it is hardwired to the network or connected to a wireless router. If no one knows what a device is, consider not letting it operate on the network until you know what it is.
Depending on what systems are hit by the ransomware, the victim hospital may need to reduce its patient count with transfers, particularly in departments hardest hit by the attack, Brill says. This can pose its own risk to the receiving hospital because transferred patients may have limited medical information that can be sent to them, particularly if the electronic medical records systems are affected.
The institution might find it cannot order or immediately pay for needed supplies, so other institutions may have to provide short-term help, Brill notes. He suggests considering a mutual assistance agreement before an incident occurs.
If another hospital in the area is hit by ransomware, expect to see an uptick in media interest in your institution, Brill warns. Media sources know hospitals will be under stress.
“What you want to do is not reveal what you’re doing to strengthen your cybersecurity. Don’t brag, don’t specify. Stick with something nondescript, such as: ‘Obviously, we’ve seen what happened, and we’re working to protect ourselves, as we are always doing,’ or something to that effect,” Brill says. “Consider using a specialist in crisis communication to manage the flow of information, even though you aren’t the ransomware victim.”
Prepare Now with a Plan
Often, ransomware attacks happen quickly and without warning, so it is important for organizations to have response plans already in place, says Darpan Thaker, senior director of data protection and disaster recovery at 11:11 Systems, a cyberservices company based in Fairfield, NJ. This is especially critical for hospitals where patient lives and information can be affected. Intersystem coordination must be considered when creating a plan.
“It’s important for hospitals to communicate with each other to understand which locations are able to accommodate a rush of new patients, how patients will be transported between sites, how patient data will be transferred and new information recorded, what fail-safe methods will be used for equipment and medicines, and other issues,” Thaker says. “Once plans and procedures are put into place, this information must be communicated to all necessary parties to ensure everyone understands their role in various scenarios.”
Changes in systems and processes are inevitable. Periodic tabletop exercises and simulations are highly recommended to identify the gaps and implement remediation, Thaker says. This also ensures any new staff member is well-equipped to carry out their tasks swiftly, especially when business is down.
Safety and Liability Risks
The ripple effect of a hospital suffering a ransomware attack can create significant patient safety and liability risk for other facilities, says David N. Vozza, JD, an attorney with Norris McLaughlin in New York City.
“If a hospital’s computer systems are compromised, they may be forced to reroute patients — perhaps in emergent or acute care situations — to nearby facilities that may not even be equipped to handle the type of care or number of patients,” Vozza notes. “This is a recipe for disaster.”
The most immediate effect is an influx of patients at neighboring hospitals, leading to longer wait times, potential delays in care, and strained resources, Vozza says. Health information exchanges also will be affected. If hospitals rely on exchanging patient data for coordinated care, a ransomware attack can disrupt this process. Other hospitals might face challenges in obtaining essential health information about transferred patients.
Hospitals in the vicinity might need to reallocate resources — both human and material — to accommodate more demand, which could affect the care provided to their regular patient population.
Public health surveillance also could suffer. Ransomware attacks can disrupt the hospital’s role in reporting infectious diseases, which could impede public health agencies’ ability to monitor disease trends and outbreaks in the community, Vozza says.
Hospitals should invest in strong cybersecurity infrastructure and practices to prevent such attacks. This includes regular system updates, staff training, firewalls, intrusion detection systems, and robust incident response plans.
Hospitals also should incorporate potential cybersecurity incidents into their emergency preparedness planning. This can ensure they put protocols in place to reroute patients, manage increased patient loads, and maintain critical services during a cyberattack.
“Some hospitals may consider investing in cyber insurance to help cover the costs associated with a cyberattack, including recovery efforts and potential lawsuits,” Vozza says. “Clear and immediate communication with other healthcare facilities, emergency services, and patients during an attack is essential to manage the situation effectively.”
Networks Are Vulnerable
If hospitals in a community rely on a centralized system or infrastructure, a ransomware attack on one hospital can disrupt the entire network, says Adam Mahmud, senior product marketing manager at Jamf, a cyberservices company headquartered in Minneapolis. If one hospital is targeted by a ransomware attack, there is a risk the malware could spread to other hospitals through shared networks or systems. This could result in a wider impact, potentially affecting the availability and integrity of patient data across multiple healthcare facilities.
This can lead to a temporary or prolonged loss of access to critical systems, including EHRs, laboratory results, scheduling systems, and communication platforms. The inability to access these systems may hinder the provision of timely and efficient healthcare services in the affected hospitals.
“Ransomware attacks often exploit vulnerabilities in software or systems. If the initial attack targets one hospital, there is a risk that the same vulnerability could exist in other hospitals within the community,” Mahmud explains. “Cybercriminals may attempt to exploit this situation and target additional hospitals, leading to a cascade of ransomware incidents in the community.”
SOURCES
- Alan Brill, Senior Managing Director of Cyber Risk, Kroll, Secaucus, NJ. Phone: (201) 319-8026. Email: [email protected].
- Peter Halprin, JD, Partner, Pasich, New York City. Phone: (424) 313-7890. Email: [email protected].
- Adam Mahmud, Senior Product Marketing Manager, Healthcare, Jamf, Minneapolis. Phone: (612) 605-6625.
- Nick Puetz, Managing Director and Global Head, Cyber Strategy and Transformation, Protiviti, Menlo Park, CA. Phone: (888) 556-7420.
- Layna Cook Rush, CIPP/US, CIPP/C, Shareholder, Baker Donelson, Baton Rouge, LA. Phone: (225) 381-7043. Email: [email protected].
- Darpan Thaker, Senior Director, Data Protection and Disaster Recovery, 11:11 Systems, Fairfield, NJ. Phone: (800) 697-7088.
- David N. Vozza, JD, Norris McLaughlin, New York City. Phone: (917) 369-8867. Email: [email protected].
If one’s response to a hospital in the community fighting a ransomware attack is only relief that it was not their facility, they could be in for a surprise. Even hospitals not hit by hackers can feel the ripple effect and suffer consequences.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.