Skip to main content

Cyberattacks on Hospitals Are Likely to Increase | March 2024

Published Date
Author McGraw Hill Higher Education

March 2024 | Volume 15, Issue 78

Read the full article from ABCNews.

Cybersecurity experts are warning that hospitals around the country are at risk for attacks like the one that is crippling operations at a premier Midwestern children's hospital and that the U.S. government is doing too little to prevent such breaches.

A Target for Internet Thieves

Hospitals in recent years have shifted their use of online technology to support everything from telehealth to medical devices to patient records. Today, they are a favorite target for internet thieves who hold systems' data and networks hostage for hefty ransoms, said John Riggi, the American Hospital Association’s cybersecurity adviser.

“Unfortunately, the unintended consequence of the use of all this network and internet connected technology is it expanded our digital attack surface,” Riggi said. “So, many more opportunities for bad guys to penetrate our networks.”

The assailants often operate from American adversaries such as Russia, North Korea, and Iran, where they enjoy big payouts from their victims and face little prospect of ever being punished.

Ransomware Attacks

In November, a ransomware attack on a health care chain that operates 30 hospitals and 200 health facilities in the United States forced doctors to divert patients from emergency rooms and postpone elective surgeries. Meanwhile, a rural Illinois hospital announced it was permanently closing last year because it could not recover financially from a cyberattack. And hackers went as far as posting photos and patient information of breast cancer patients who were receiving treatment at a Pennsylvania health network after the system was hacked last year.

Now, one of the top children's hospitals in the country, the Ann & Robert H. Lurie Children’s Hospital of Chicago, has been forced to put its phone, email, and medical record systems offline as it battles a cyberattack. The FBI has said it is investigating.

A Rise in Cyberattacks

Brett Callow, an analyst for the cybersecurity firm Emsisoft, counted 46 cyberattacks on hospitals last year, compared with 25 in 2022. The paydays for criminals have gotten bigger too, with the average payout jumping from $5,000 in 2018 to $1.5 million last year.

“Unless governments do something more meaningful, more significant than they have done to date, it’s inevitable that it’ll get worse,” Callow said.

Callow believes the government should ban cyberattack victims such as hospitals, local governments, and schools from paying ransoms. “There’s so much money being paid into the ransomware system now there is no way the problem is going to simply go away on itself,” he said.

The Department of Health and Human Services Gets Involved

The dramatic increase in these online raids has prompted the nation’s top health agency to develop new rules for hospitals to protect themselves from cyber threats.

The Department of Health and Human Services said it will rewrite the rules for the Health Insurance Portability and Accountability Act -– the federal law commonly called HIPPA that requires insurers and health systems to protect patient information – to include new provisions that address cybersecurity later this year.

The department is also considering new cybersecurity requirements attached to hospitals’ Medicaid and Medicare funding.

“The more prepared we are the better,” said Deputy Secretary Andrea Palm.

But, she added, some hospitals will struggle to protect themselves. She is worried about rural hospitals, for example, that may have difficulty cobbling together money to properly update their cybersecurity. HHS wants more money from Congress to tackle the issue, but Palm said the agency does not have a precise dollar amount its seeking.

“It’s important to note that this has to come with resources," Palm said. "We can’t set the industry up not to be able to meet requirements.”

The Cost of Cyberattacks

Becoming the victim of a cyberattack is costly, too. The attacks can put hospitals’ networks offline for weeks or months, forcing hospitals to turn away patients.

In Chicago, Lurie Hospital’s network has been offline for two weeks. The hospital, which served more than 260,000 patients last year, has established a separate call center for patients' needs and resumed some care.

Recently, Lurie’s surgeons operated on Jason Castillo’s 7-month-old daughter mostly by hand, without some of the high-tech devices usually used.

His daughter’s planned heart surgery was postponed on January 31, when the hospital found itself under cyber siege. The surgeon talked to Castillo before his daughter was wheeled in for a six-hour surgery, promising that he felt confident he could do the procedure despite the ongoing cyberattack.

“She’s doing fantastic,” Castillo said of his daughter, who is now recovering at home. “It feels like a huge cloud has been lifted from our household.”

Even once Lurie has restored their network, it will likely take months of behind-the-scenes work for the hospital to fully rebound, Callow said.

“These incidents can affect everything from patient care to payroll,” Callow said. “Fully recovering can take months, it’s not simply a matter of flicking a switch and everything comes back on.

Discussion Questions

  1. What is a cyberattack? What is ransomware?
    A cyberattack is any intentional effort to steal, expose, alter, disable, or destroy data, applications, or other assets through unauthorized access to a network, computer system, or digital device.

    One type of cyberattack is malware, which is malicious software that can render infected systems inoperable. Malware can destroy data, steal information, or even wipe files critical to an operating system’s ability to run.

    Malware comes in numerous forms, including ransomware, a sophisticated malware that uses strong encryption to hold data or systems hostage. Cybercriminals then demand payment in exchange for releasing the system and restoring functionality. According to IBM’s “X-Force Threat Intelligence Index,” ransomware is the second most common type of cyberattack, accounting for 17 percent of all cyberattacks.
  2. As indicated in the article, Brett Callow, an analyst for the cybersecurity firm Emsisoft, believes the federal government should ban cyberattack victims such as hospitals, local governments, and schools from paying ransoms. Would you support or oppose such a regulation? Explain your response.
    This is an opinion question, so student responses will likely vary. Your author has mixed sentiments regarding support for or opposition to such a regulation. As mentioned in response to Article 1, Discussion Question 1 of this newsletter, the effects of a cyberattack can be devastating.

    This realization arguably lends support to the notion that the decision to pay a ransom in response to a cyberattack should be at the discretion of the individual organization. On the other hand, paying a ransom sets a dangerous precedent in terms of the expectations of those who engage in cyberattacks, promoting assurances that the victims of cyberattacks will pay to avoid potentially disastrous results.      
  3. As indicated in the article, Department of Health and Human Services Deputy Secretary Andrea Palm is particularly concerned about rural hospitals that may have difficulty finding additional funds to update their cybersecurity. Would you favor or oppose funding from the U.S. Congress to address this concern? Why or why not?
    This is an opinion question, so student responses may vary. In your author’s opinion, if the federal government considers banning cyberattack victims such as hospitals from paying ransoms, it should accept the reality that cybersecurity is expensive, accept the reality that rural hospitals may be cash-strapped, and realize that supporting rural hospitals financially is good public policy in terms of supporting their mission and the patients who are assisted in the fulfillment of that mission.