Many hospitals have been targeted in ransomware attacks by hackers—and in one Alabama hospital, an attack may have caused staff to miss concerning signs that ultimately led to a baby's death, the Wall Street Journal reports.
Access our cybersecurity resource library
According to the Journal, ransomware was a "novelty" in the cybercrime world a decade ago. But it has since become more sophisticated, causing major outages of critical infrastructure and the loss of hundreds of millions of dollars.
Hospitals are increasingly targets of ransomware attacks, the Journal reports, largely because hackers assume hospital executives will pay quickly to restore lifesaving resources.
One prominent ransomware hacking group is Ryuk, which is based in Russia. Since 2018, the group has attacked at least 235 hospitals and inpatient psychiatric facilities, along with dozens of other health care facilities in the United States, the Journal reports. According to Coveware, a ransomware negotiation firm, Ryuk's average ransom demand is just under $700,000. Chainalysis, a bitcoin analysis firm, said the group collected at least $100 million in ransom payments last year.
In May, the Federal Bureau of Investigation warned ongoing ransomware attacks on medical providers and first responders could endanger the public and risk medical care delays. In addition, Joshua Corman, a senior advisor at the Cybersecurity and Infrastructure Security Agency, said ransomware can lead to dire consequences for hospitals and patients.
"We can see that a cyberattack can strain [hospitals] enough to contribute to excess deaths," Corman said.
On July 8, 2019, Springhill Medical Center was hit by a ransomware attack—likely orchestrated by the hacking group Ryuk, the Journal reports. According to a hospital spokesperson, the hospital refused to pay the ransom, instead shutting down its network for at least three weeks before systems returned to normal.
During the network outage, nursing staff and doctors struggled to perform routine tasks, like accessing medical records and monitoring patients' vital signs. In the labor and delivery unit, staff were unable use a central monitoring system at the nurses' station, which showed real-time vital signs of patients in 12 delivery rooms. This monitor usually helped staff members closely track potential complications in their patients.
Without it, nurses placed patients in rooms closest to the nurses' station and turned up the volume on their bedside fetal heart monitors. Nurses were instructed to stay in or near their patients' rooms, and they routinely checked a paper readout from the fetal heart monitors.
Teiranni Kidd was one of the patients in the hospital's labor and delivery unit during the outage, the Journal reports. Around an hour before she gave birth, the printout of the fetal heartbeat monitor in her room showed that her baby had an abnormally fast heartbeat.
According to nurses specializing in obstetrics and newborns, an abnormal increase in heart rate can mean that an entangled umbilical cord has cut off blood and oxygen to the fetus. Doctors commonly choose to deliver a baby by C-section in these cases due to the potential for brain injuries.
However, only one person was monitoring Kidd's vital signs at the time, the Journal reports, and it's unclear whether the attending nurse noticed the rising heart rate or how it was interpreted.
"If that nurse didn't recognize it, it would have gone unnoticed," said Jeffrey Planchard, an anesthesiologist at Springhill at the time who now works for Mount Sinai Hospital in Chicago.
Later that day, Kidd's baby, Nicko, was born unresponsive with her umbilical cord wrapped around her neck. Nicko was soon transferred to the neonatal ICU at a nearby hospital and later diagnosed with significant brain damage.
A day after Kidd's delivery, the nurse manager examined Kidd's heart monitor printout for "what [they] missed or if [they] could have called [the attending doctor] sooner." After reviewing the printout on her own, Katelyn Parnell, the attending obstetrician, said she would have performed a C-section if she had been notified of the change in heart rate sooner, the Journal reports.
"I need [you] to help me understand why I was not notified," Parnell wrote in a text to the nurse manager. In another text she wrote, "[T]his was preventable."
According to Kidd, she was not aware of the ransomware attack when she was admitted to the hospital. In January 2020, she filed a medical malpractice lawsuit against Springhill in the Circuit Court of Mobile County, later amending it when her daughter died in April 2020.
In her lawsuit, Kidd alleges information about her baby's condition never reached Parnell because the attack removed the extra scrutiny the heart rate monitor would have received at the nurses' station, the Journal reports. If Kidd's allegations are proven in court, the case will be the first confirmed death from a ransomware attack.
In response to the lawsuit, Springhill has denied any wrongdoing. Jeffrey St. Clair, Springhill's CEO, said the hospital handled the ransomware attack appropriately.
"We stayed open and our dedicated health care workers continued to care for our patients because the patients needed us and we, along with the independent treating physicians who exercised their privileges at the hospital, concluded it was safe to do so," St. Clair said. (Poulsen, et al., Wall Street Journal, 9/30)
By Ty Aderhold, Director of Digital Health Research
This story highlights the sobering reality of the ongoing wave of cyberattacks against health care providers. In many of these stories, the narrative focuses on data breaches as hackers access patient data, but this serves as an important reminder that ransomware attacks can deeply affect patient safety and staff.
Technology has become ingrained into every aspect of health care delivery, to the point where providers are forced to move away from standard processes when technology becomes compromised. These manual processes increase the workload for staff and lack some of the operational fail-safes that technology provides.
With hackers continuing to target health care providers with ransomware attacks, it is now a matter of when, not if, a hack will occur. So how should health care organizations prepare for this new reality of a technology driven health care world? I've detailed three crucial steps to consider.
One of the first steps any provider organization is going to take after an attack is to shut off all systems to prevent further infection or data breaches. This often means physicians and staff will have to turn to manual processes, such as charting with a pen and paper. Physicians and staff need to know the manual processes required and regularly train on those processes to minimize the impact on patient care. It can take health organizations many weeks to come fully back online, so providers must be prepared for extended periods without access to the technological supports they may have become accustomed to.
Every health care organization provides some standard defense measures and employee training. But too many organizations stop here and allow security awareness to become a temporary or annual campaign with limited funding. Instead, organizations need to embed security into their organizational culture. This starts from the top with appropriate governance, including a designated Chief Information Security Officer, and adequate funding. According to the 2020 HIMMS cybersecurity survey, 53% of respondents dedicated 10% or less of their IT budget to cybersecurity. That is up 9% from 2019, and a sign that funding of cybersecurity is not matching the increased number of attacks we have been seeing.
As adoption of telehealth, connected health devices, and the internet of things continues to expand, so too does the risk for hacking with new devices and applications. Increasingly, this risk lives outside the four walls of provider organizations and instead resides with patients and third parties with network access. When it comes to third-party technology vendors and service providers, it is important to both establish risk management standards at the contracting stage and regularly assess how those standards are being met. As telehealth usage has increased, we have also seen an increase in attacks directed at telehealth systems. Furthermore, patient connected health devices can place patient data and safety at risk while leaving providers with less control over the management of these devices.
While organizations refocus their cybersecurity efforts, it is important to also consider how cybersecurity should impact future technology investments. As health care providers continue to invest in new technologies to further care delivery and connect with patients, they must also proactively consider how to prevent these investments from weakening their overall security. To learn more on how to become a cyber resilient organization, access our cybersecurity resource library.
Create your free account to access 1 resource, including the latest research and webinars.
You have 1 free members-only resource remaining this month.
1 free members-only resources remaining
1 free members-only resources remaining
Never miss out on the latest innovative health care content tailored to you.