When cyber criminals attacked DCH Health System last week, they encrypted computer files and restricted access to medical systems. Brad Fisher, DCH spokesperson, says it had a big impact.
“When those things are not available, and the system is built on having those to deliver the care, it’s really difficult,” Fisher says.
In response to the attack, DCH stopped accepting all but the most critical new patients at its three hospitals located in Tuscaloosa, Northport and Fayette, and employees reverted to using paper charts and records.
After paying the hackers to obtain a decryption key over the weekend, hospital officials are now working to fully restore operations. Fisher says the attack was an eye opener.
“If you’re in a hospital, be afraid. Be very afraid,” Fisher says. “It’s not good. It’s not a good thing at all.”
Ransomware attacks are the most significant cyber threat to hospitals across the country, according to John Riggi, a 28-year veteran of the FBI and now senior advisor for cybersecurity and risk at the American Hospital Association.
“Ransomware has a direct impact to interrupt patient care delivery operations and potentially patient safety,” Riggi says.
He says nowadays, because hospitals are increasingly wireless, a ransomware attack can shut down everything from CPAP machines and blood pressure monitors to the entire emergency room.
In addition to ransomware, hospitals also face potential cyber threats that target sensitive patient information and medical data. Last week, UAB Hospital announced that protected health information for about 20,000 patients was exposed and possibly viewed by hackers, after a phishing attack in August. Officials say criminals were trying to re-direct employee payroll deposits.
Cybersecurity expert John Riggi says a hospital’s best defense is prevention. Since ransomware and other malware typically enter a system via an email attachment or a link, employee education is key. He adds that hospitals should keep offline backups and regularly address software vulnerabilities, though that can be a challenge.
“Because hospitals operate 24/7, they can’t shut down overnight to deploy patches in their systems, and the systems are tremendously complex,” Riggi says.
This year, he says, there has been a dramatic increase in targeted cyberattacks on hospitals and other organizations. But at the same time, there is a growing awareness of the issue. Riggi says hospitals across the country now consider it a top risk. It just so happens that October is Cyber Security Awareness Month.