Experts in cybersecurity are issuing a cautionary statement that medical facilities across the nation are vulnerable to cyberattacks, similar to the one currently affecting a top children’s hospital in the Midwest. They are also expressing concern about the inadequate measures taken by the government to prevent these types of breaches.

In the past few years, hospitals have changed their reliance on internet technology to assist with various tasks such as telemedicine, medical equipment, and patient information. Unfortunately, they have become a popular target for cybercriminals who demand large sums of money in exchange for releasing control of the hospitals’ data and networks. John Riggi, an adviser for cybersecurity at the American Hospital Association, has noted this trend.

“Regrettably, the unintended result of utilizing various network and internet-connected technology is the expansion of our vulnerability to digital attacks,” stated Riggi. “This provides numerous opportunities for malicious individuals to infiltrate our networks.”

The attackers frequently work for countries that are enemies of the United States, such as Russia, North Korea, and Iran. In these countries, they receive large sums of money from their targets and have little fear of consequences.

Last November, a healthcare chain with 30 hospitals and 200 health facilities in the US was targeted by a ransomware attack, causing doctors to redirect emergency room patients and postpone elective surgeries. Additionally, a rural hospital in Illinois had to shut down permanently due to financial repercussions from a cyberattack. In another incident, hackers shared photos and personal details of breast cancer patients at a Pennsylvania health network after breaching their system last year.

The Ann & Robert H. Lurie Children’s Hospital of Chicago, which is now recognized as a leading children’s hospital in the United States, is currently facing a cyberattack that has resulted in the shutdown of its phone, email, and medical record systems. The FBI is currently conducting an investigation into the matter.

According to Brett Callow, who works as an analyst at cybersecurity company Emsisoft, there were 46 cyberattacks on hospitals in the previous year, which is higher than the 25 attacks in 2022. The amount of money that criminals received has also increased significantly, with the average payout going from $5,000 in 2018 to $1.5 million last year.

Callow stated that if governments do not take more substantial action than they have in the past, the situation will undoubtedly deteriorate.

According to Callow, the government should prohibit ransom payments from cyberattack victims, including hospitals, local governments, and schools. He asserts that with the increasing amounts of money being paid to ransomware attackers, the issue cannot be solved on its own.

The significant rise in these internet attacks has spurred the country’s leading health organization to create fresh regulations for hospitals to safeguard against online dangers.

The Health and Human Services Department announced plans to revise the guidelines for the Health Insurance Portability and Accountability Act (HIPPA), a federal law that mandates insurance companies and healthcare facilities to safeguard patient data. The updated regulations will incorporate additional measures to address cybersecurity concerns and are expected to be implemented later this year.

The department is currently evaluating potential additions to cybersecurity standards that would be linked to the Medicaid and Medicare funding received by hospitals.

Deputy Secretary Andrea Palm stated that being more prepared leads to better outcomes.

However, she expressed concern that certain hospitals may face challenges in safeguarding themselves. She specifically mentioned rural hospitals, which may struggle to acquire sufficient funds for adequate cybersecurity measures. While HHS is requesting additional funding from Congress to address this issue, Palm stated that the agency does not have a specific dollar amount in mind.

Palm emphasized the significance of having adequate resources in order to meet requirements within the industry. It is not feasible to establish a system that cannot fulfill these obligations.

Being targeted by a cyberattack can also have a significant financial impact. These attacks have the potential to shut down hospitals’ networks for extended periods of time, resulting in patients being denied access to medical services.

The network at Lurie hospital in Chicago has been down for a duration of two weeks. This hospital provides medical services to over 260,000 individuals annually and has set up a dedicated call center for patient inquiries while also resuming some of their services.

Last Thursday, surgeons at Lurie Medical Center performed surgery on Jason Castillo’s 7-month-old daughter using primarily manual techniques, as opposed to the usual high-tech devices.

On January 31, the scheduled heart surgery for his daughter was delayed due to a cyber attack on the hospital. The surgeon reassured Castillo that he was still able to perform the six-hour procedure, despite the ongoing cyberattack, before his daughter was taken into the operating room.

“She’s making great progress,” Castillo stated about his daughter, who is currently recuperating at home. “It’s like a weight has been lifted from our family.”

According to Callow, it will probably take several months of behind-the-scenes efforts for the hospital to fully recover, even after Lurie has fixed their network.

Callow stated that these occurrences have the potential to impact various aspects such as patient treatment and salary management. He explained that it can take several months to fully bounce back, as it is not as simple as turning a switch and having everything back to normal.

___

Kathleen Foody, a writer for the Associated Press, contributed to this report from Chicago.