Ransomware attacks in 2019 forced some health systems to pay up

Cybersecurity experts warn healthcare organizations not to pay up for fear of more attacks, but some provider organizations had no choice last year.
By Nathan Eddy
10:52 AM
Ransomware attacks in 2019 forced some health systems to pay up

Phishing attacks continued to plague health systems around the world in 2019, forcing some provider organizations to pay up in order to get their systems back online. In the meantime, these attacks forced hospitals to revert to paper-and-pen record keeping, underlining how debilitating these attacks can be.

Just last month New Jersey’s Hackensack Meridian Health, one of the state’s largest health systems was forced to pay up following a ransomware attack, even though the health system said the technical issues had been limited to rescheduling a “small number” of non-emergency procedures.

17 hospitals and clinics affected

The organization said it was not aware of any impact to the confidentiality of health information, including patient records, but the attack affected all 17 hospitals and clinics and forced the health system to use paper records as it worked to bring systems back online.

The undisclosed sum paid by the New Jersey health system is covered by an insurance plan that helps it cover costs related to cyber attacks, officials said.

The Hackensack Meridian incident is just the latest in a string of high-profile ransomware attacks across the globe, including a November attack on a cloud vendor that froze nursing home EHR data.

In October, Alabama hospital system DCH had to pay to restore systems after a ransomware attack forced them to shift operations into manual mode, using paper copies in place of digital records – the organization purchased a decryption key from the hackers for an undisclosed sum.

A strong impact on healthcare activity

Ransomware attacks across the globe, from France to Australia, highlighted the ongoing security issues health systems face: The large-scale cyber attack in University Hospital Centre de Rouen in France had “a strong impact on the information system and therefore the activity of the establishment,” as reported in November.

At least four hospitals in Romania were hit by ransomware in June, with the Romanian national cybersecurity and incident response team cautioning that no money should be paid to the ransomware hackers.

The astonishing scale of the attacks – a Presbyterian Healthcare phishing scam in August affected 183,000 patient records – means the entire healthcare ecosystem is going to have to reevaluate how to protect its systems and share information about attacks and attempted security breaches, even as attacks become more frequent and more sophisticated.

One success story in 2019 was Interfaith Medical Center, which deployed a variety of network security technologies to ward off ransomware and other attacks, virtualizing its servers in the process, which resulted in cost savings of more than $2 million over a seven-year period.

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209