Ransomware attacks can disrupt healthcare operations by encrypting or rendering medical records and systems inaccessible, leading to delays in accessing vital patient information or critical medical services. This disruption can potentially impact patient care and treatment. In some cases, hospitals may need to divert patients to other facilities, causing delays in receiving necessary medical attention.
In 2020, a woman who needed immediate medical attention, died because the hospital where she was seeking treatment, was under a ransomware attack. In 2022, a three-year-old at a hospital in Des Moines, Iowa, was prescribed five times his prescribed medication due to a ransomware attack on the hospital’s computer systems.
While the healthcare sector is ideally one that should be spared from ransomware attacks, threat actors do not hesitate to target it when seeking financial gain. Unfortunately, recent trends indicate a surge in attacks on the healthcare industry, raising significant concerns. Let’s explore how ransomware has caused patient deaths and how disrupted care impacts neighboring Emergency Departments.
Ransomware has emerged as a significant and challenging issue in cybersecurity, posing a threat to industries globally. However, its impact becomes particularly devastating when it infiltrates hospitals, resulting in widespread repercussions that adversely affect patient care throughout the entire country.
In 2019, an unfortunate incident occurred at Springhill Medical Center when it fell victim to a ransomware attack, which tragically led to the death of a newborn baby. The baby's life was endangered during delivery as their umbilical cord was wrapped around their neck, causing oxygen deprivation. Normally, a vital signs monitor would alert hospital staff to such life-threatening situations, but the monitor failed to notify staff due to the system being compromised by a ransomware attack. The delivering doctor expressed that had she been able to see the monitor's readings, she would have opted for a cesarean section, emphasizing that the situation could have been prevented.
As a result, the baby suffered severe brain damage and died nine months later. The hospital had to defend itself in a trial related to the attack, which took place in September 2021. Although the ransomware gang Ryuk was suspected as the responsible party, given their history of targeting medical facilities between 2019 and 2020, the exact culprit behind the ransomware attack has not been confirmed.
In 2020, a ransomware attack, which appears to have been misdirected, caused the IT systems of a major hospital (Duesseldorf University Clinic) in Düsseldorf, Germany to fail. As a result of the attack, a woman in need of urgent medical attention had to be transferred to another city for treatment but died before she could receive treatment.
This incident is extremely disturbing, as it appears to be the first case where a death is indirectly linked to a ransomware attack. After the attack, disruption to Düsseldorf University Clinic's systems persisted for a week. According to the hospital, investigators determined that the root cause of the issue was due to an attacker targeting a vulnerability in "widely used commercial add-on software," which the hospital did not specify. Consequently, the hospital's systems experienced a gradual crash, rendering data inaccessible. Emergency patients had to be redirected to other medical facilities, and scheduled operations had to be postponed.
In 2021, St. Margaret’s Health in Spring Valley, Illinois, was the victim of a ransomware attack. After the attack, the hospital was unable to submit claims to Medicare/Medicaid, or insurers for months. This incident, in addition to St. Margaret’s being a rural hospital, resulted in a financial crisis. Sadly, the hospital had to close its doors in June 2023 because they could not financially recover for the ransomware attack.
Since the beginning of the year, the most disruptive ransomware attacks have been at the hands of five groups – LockBit, BlackCat (ALPHV), Royal, Vice Society, and Medusa Blog (also known as Medusa Locker). LockBit kicked off 2023 as January’s most prolific ransomware-as-a-service (RaaS) group. BlackCat, Royal, Vice Society, and Medusa were close behind with ransomware attacks and also showed no signs of letting up. Vice Society experienced a remarkable surge of 267% in their activity, primarily targeting victims within the Education sector. Three of those groups have caused the most heartache for the healthcare sector: Royal, BlackCat, and Medusa.
In December 2022, the Department of Health and Human Services Cybersecurity Coordination Center (HC3) warned healthcare organizations about Royal ransomware. Royal is a fairly new ransomware group and was initially observed in early 2022. Their top targets are within the U.S. The ransomware operation uses unusual techniques to breach networks before encrypting them with malware and demanding ransom payments.
Some Royal ransomware campaigns distribute the malware via malicious attachments, and some distribute the malware via malicious advertisements. Ransom demands from the threat actor range from $250,000 to more than $2 million. HC3 stated that Royal should be considered a threat to the health and public health sectors due to the ransomware group victimizing the healthcare community.
The group utilizes phishing attacks, including callback phishing, where they send deceptive emails resembling subscription renewals from food delivery or software providers. These emails provide phone numbers for victims to contact in order to cancel the alleged subscription. When victims call these numbers, they are directed to threat actors who use social engineering techniques to convince them to install remote access software. This software is then used to gain initial access to corporate networks.
Unlike ransomware-as-a-service (RaaS) operations, Royal does not work with affiliates and instead collaborates with carefully selected team members. The group maintains a relatively low profile and does not actively promote their attacks like some other groups. Since Royal emerged, the ransomware operators have evolved their delivery methods to include:
BlackCat (ALPHV) is another ransomware group that the U.S. Department of Health and Human Services warned healthcare organizations about. BlackCat ransomware is a versatile ransomware that targets various corporate environments. It is capable of attacking both Linux and Windows systems. Notably, BlackCat is coded in the Rust programming language, making it the first known instance of a ransomware group utilizing Rust to develop a ransomware strain, according to security researchers.
In January 2023, the group allegedly attacked NextGen Healthcare, a company that clinicians use for electronic health record and practice management software. Although the healthcare organization could not find proof that data was stolen at the time, BlackCat did list the organization as a victim on their data leak site before swiftly deleting the listing. It is not unusual for a threat actor to breach an organization, and the organization finds out later how much damage was done. NextGen Healthcare has over 2,800 employees and had revenue of $600 million in 2022.
Having emerged in 2019, MedusaLocker (also known as MedusaBlog) has successfully infected and encrypted systems in various sectors, with a particular focus on the healthcare industry. MedusaLocker operates as a RaaS, sharing payment proceeds with its affiliates. Typically, the affiliates receive 55% to 60% of the earnings.
MedusaLocker employs phishing and spam email campaigns to infiltrate victim networks, attaching the ransomware directly to the emails. To bypass security tools, MedusaLocker restarts the targeted machine in safe mode before executing the ransomware. By avoiding the encryption of executable files, the ransomware prevents rendering the system unusable, ensuring the victim can still access the system to pay the demanded ransom.
Since May 2022, the threat actors have focused on exploiting vulnerabilities in Remote Desktop Protocol (RDP) to infiltrate their targets' networks. Once the data is encrypted, MedusaLocker leaves a ransom note with explicit instructions in the folders where encrypted files are located.
Despite the absence of precise statistics linking fatalities to cyberattacks, it is evident that hospital breaches have reached alarming levels, significantly disrupting patient care. In 2022, an incident targeting CommonSpirit Health, the second-largest non-profit health system in the U.S., resulted in the compromise of sensitive information belonging to more than 600,000 patients. This included electronic medical records, allegedly leading to a devastating incident where a three-year-old was mistakenly administered a medication dosage five times higher than necessary.
Similarly, a November 2022 attack on three hospitals in New York forced healthcare professionals to resort to paper charts, causing care delays and potential complications. These examples highlight the pressing need for healthcare organizations to prioritize cybersecurity measures to protect patients and prevent disruptions that can have grave consequences.
Based on data provided by the CyberPeace Institute, it has been found that, on average, a cyberattack on a healthcare system results in 19 days of patients being unable to access certain types of care. In a specific instance, a cyberattack caused disruptions in medical services for approximately four months.
In a recent study conducted by Christian Dameff, MD, Jeffrey Tully, MD, and Theodore C. Chan, MD, it was discovered that ransomware attacks at one emergency healthcare facility can impact neighboring emergency healthcare facilities, even if they are not directly suffering from a ransomware attack. The findings of the study indicate that cyberattacks targeting healthcare, including ransomware incidents, result in significant disruptions to regional hospitals.
In the study, researchers examined data from emergency department (ED) visits during different phases: before, during, and after a cyberattack. The study included a total of [1]19,857 ED visits.
They found that during the attack phase, there were significant increases in various factors compared to the preattack phase. These factors included the daily number of patients in the ED, the number of patients arriving by emergency medical services (EMS), the number of admissions, the number of patients leaving without being seen, and the number of patients leaving against medical advice.
There were also increases in waiting room times and the total length of stay for admitted patients. Additionally, there was an increase in stroke code activations and confirmed strokes during the attack phase compared to the preattack phase. Overall, the study suggests that cyberattacks on healthcare systems can cause disruptions in ED operations, leading to longer wait times, delays in care, and increased risk for certain medical conditions like strokes.
The study also found that that when healthcare organizations are attacked by ransomware, nearby hospitals can face challenges. They might have more patients to care for and struggle with limited resources, which can impact timely treatment.
[1] Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US | Emergency Medicine | JAMA Network Open | JAMA Network
Ransomware attacks can disrupt critical healthcare systems, such as electronic health records and medical devices, jeopardizing patient safety and delaying timely access to life-saving treatments. By implementing robust cyber security measures, healthcare organizations can mitigate the risk of ransomware incidents, safeguard patient data, and ensure uninterrupted access to essential medical services.
Proactive measures, including regular system updates, network segmentation, employee training, and incident response planning, are vital in preventing ransomware attacks that could have life-or-death consequences for patients. Prioritizing cyber security best practices is a fundamental step toward preserving patient well-being and maintaining the highest standards of care.
Following best practices helps safeguard sensitive patient information, maintain operational continuity, protect the organization's reputation, and ultimately ensure the delivery of safe and high-quality healthcare services. To increase cyber resilience in ransomware response, consider the following:
BlackCat
Royal
Medusa Blog/Locker
Related Resource:
Ransomware Causes Patient Death | Critical Insight
Patient dies after ransomware attack paralyzes German hospital (gizmodo.com)
The latest cyberattack on health care shows how vulnerable the sector is - The Washington Post
HHS: Ransomware groups continue to target U.S. health sector | AHA News
Lehigh Valley Health Network targeted by BlackCat ransomware (malwarebytes.com)
The mounting death toll of hospital cyberattacks - POLITICO
Ransomware attacks on hospitals take toll on patients (nbcnews.com)
German hospital hacked, patient taken to another city dies | AP News
Studies show ransomware has already caused patient deaths | TechTarget
Dameff C, Tully J, Chan TC, et al. Ransomware Attack Associated With Disruptions at Adjacent Emergency Departments in the US. JAMA Netw Open. 2023;6(5):e2312270. doi:10.1001/jamanetworkopen.2023.12270
Hospitals say cyberattacks increase death rates and delay patient care - The Verge
pfpt-us-tr-cyber-insecurity-healthcare-ponemon-report.pdf (proofpoint.com)
The untold story of a cyberattack, a hospital and a dying woman | WIRED UK
MercyOne hospital's parent company confirms ransomware attack (desmoinesregister.com)
Playing with Lives: Cyberattacks on Healthcare are Attacks on People (cyberpeaceinstitute.org)
Cyber Incident Tracer #HEALTH (cyberpeaceinstitute.org)
St. Margaret Health links closing to ransomware attack (newsnationnow.com)
This document and its contents do not constitute, and are not a substitute for, legal advice. The outcome of a Security Risk Assessment should be utilized to ensure that diligent measures are taken to lower the risk of potential weaknesses be exploited to compromise data.
Although the Services and this report may provide data that Client can use in its compliance efforts, Client (not Avertium) is ultimately responsible for assessing and meeting Client's own compliance responsibilities. This report does not constitute a guarantee or assurance of Client's compliance with any law, regulation or standard.
COPYRIGHT: Copyright © Avertium, LLC and/or Avertium Tennessee, Inc. | All rights reserved.