Columbus Regional Health is on high alert after a wave of cyberattacks hobbled at least three nearby hospitals, including Schneck Medical Center, in recent weeks.
In some cases, disabled computer systems have forced staff to revert to pen-and-paper record-keeping and disrupted patient care.
The attacks, which CRH officials said appear to be targeting health care providers and first responders, have swept through southern and central Indiana over the past several weeks, ranging from data theft to ransomware attacks or other breaches.
Over the past two weeks, cyberattacks have been reported at Schneck Medical Center in Seymour and Johnson Memorial Health in Franklin. In August, Eskenazi Health in Indianapolis was struck by a cyberattack. It is not clear whether the attacks are related.
So far, CRH has not fallen victim to a cyberattack, though the hospital system saw a “record number of attempts” to breach its computer systems last month, said CRH spokeswoman Kelsey DeClue.
In response, CRH officials said the hospital system has been putting in place additional cybersecurity measures, adding that it is “insane” how often the hospital is being targeted. Hospital officials, however, declined to go into any details on what additional measures were being taken, citing security concerns.
“We’re certainly always on alert,” DeClue said. “… The (IT) teams are always finding a new way that somebody is trying to get in.”
The increased measures by CRH come as cyberattacks targeting the health care sector have spiked during the COVID-19 pandemic with the FBI and two other federal agencies warning last year that they “had credible information of an increased and imminent cybercrime threat to U.S. hospitals and health care providers.”
The threats included data theft and ransomware attacks, which is when hackers gain access to sensitive data and threaten to publish it or block access to it unless a ransom payment is made.
Cyberattacks against hospitals in Indiana are not new, but rarely has a series of attacks impacted the operations of multiple hospitals in the Columbus area in such a short period of time.
In August, “sophisticated cyber criminals” penetrated Eskenazi Health’s computer systems and stole the personal and health care data of patients and employees, the hospital said in a statement Oct. 1. The attack resulted in the hospital diverting ambulances to other facilities.
Some of that data, the hospital said, was posted on the dark web — including names, dates of birth, addresses, medical diagnoses, Social Security numbers, passport numbers, facial images, credit card information, among other information, the statement said.
A few weeks later, Schneck Medical Center suspended all IT operations “out of an abundance of caution” after being hit with a cyberattack.
The hospital said at the time that “third-party security partners” were attempting to restore operations as soon as possible. As of Friday, Schneck had restored some computer operations, including Meditech core operations, enterprise printer systems and its picture archiving and communications systems, according to Becker’s Health IT.
A Schneck spokesperson told Becker’s Health IT on Friday that the hospital was working system by system to restore computer operations as part of a thorough evaluation of its systems.
Just a handful of days later, Johnson Memorial Health was hit with a cyberattack that resulted in the disabling of its computer system, forcing staff to fill out patient records on paper, cutting off electronic communication with other health care agencies and preventing the hospital from being able to report staffing and bed counts in real time to local emergency medical providers, The Daily Journal reported.
CRH has not been flooded with patients being diverted from those hospitals as a result of the cyberattacks but helped Schneck with radiology and cancer care services for some patients, DeClue said.
Despite the flurry of recent attacks, it’s hard to estimate how many health care organizations have been hit by similar attacks, though estimates are staggering.
One recent study by technology research and comparison website Comparitech suggested that ransomware attacks impacted more than 600 health care organizations — and more than 18 million patient records — last year.
A survey by U.K.-based security firm Sophos found that 1 in 3 health care organizations worldwide were struck by ransomware attacks last year with an average total cost to the organization of $1.27 million, taking into consideration network downtime, employee time, the ransom paid, among other expenses.
The average ransom paid was $134,304. But even after paying the ransom, health care organizations on average were only able to recover 69% of the data that was encrypted by hackers, the survey found.
And most health care organizations that weren’t hit by ransomware attacks last year expect to be at some point in the future, according to the survey. Some said they are already experiencing an increase in attempted attacks.