Smaller healthcare systems have managed to avoid getting hit with ransomware — until now.
Take a smallish community healthcare provider, Campbell County Health, in Wyoming. It got hit with a cyberattack a month ago, its CEO Andy Fitzgerald, told The Wall Street Journal recently
“My initial thought was, ‘Oh crap,’” he told the paper, without revealing if he had forked over any ransom cash or not.
The story was familiar: the 90-bed hospital's records were compromised and many patients had to be relocated, while staff struggled with paper-and-pencil patches.
As bigger facilities have hardened their systems to hacking, criminals are looking to the vast number of such smaller providers, many of whom are often hard-pressed to pay the price of high-end security for their systems, Jennifer Barr, a health-care analyst at Moody’s Corp, explained to the paper.
The Wyoming attacks came as a number of other facilities were likewise slammed by hacking episodes. Just last week, for example, a hacking event against DCH
forced three of its Alabama hospitals — DCH Regional, Northport and Fayette — to likewise shut systems, relocate and divert patients, and resort to paper systems for record keeping.
“Everybody is familiar with [emergency procedures] but you obviously don’t want to do it for days,” hospital spokesman Bradley Fisher said last week. At present the problem has not been resolved and the facilities are not yet returning to normal, he noted.
Over the summer, numerous dental practices were also hit, according to a report from the American Dental Association, when ransomware struck dental providers, locking practices out of their data.
For smaller concerns, trying to recover from ransomware can literally break the bank and force a closure, Linn Freedman, head of the privacy and cybersecurity practice at law firm Robinson & Cole LLP, advised the journal.
Just such a problem befell Wood Ranch Medical in Simi Valley, California over the summer. In its note announcing its closure it stated, “unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” adding that, “as much as I have enjoyed providing medical care to you, I will not be able to attend to you professionally after that date.”
Likewise, Brookside ENT and Hearing Center in Battle Creek, Michigan also shut down after a ransomware incident in the spring. The company refused to pay, referred its patients to other providers and shut. The journal noted that one of its doctors had retired after the event.
In the first nine months of 2019, at least 621 various government and private groups — of which 491 were healthcare providers — have been hit by ransomware, according to a newly released report by the cybersecurity firm Emsisoft.
One in four healthcare organizations were hit by ransomware in 2018, and by 2020 that number is expected to quadruple
, according to the report "Cyber Pulse: The State of Cybersecurity in Healthcare”. In addition, beyond dangers to patients, the average cost of enterprise network downtime is $5,600 per minute, which equals more than $300,000 per hour, according to researcher Gartner.
And according to a recent survey from Datto Inc., “only about half of small and medium-sized businesses (SMBs) have a disaster recovery plan in place,” advised Ryan Weeks, the firm's chief information security officer.