On Oct. 17, Dickinson County Healthcare was targeted in a ransomware attack that temporarily crippled its IT systems, forcing staff to shift to backup paper records to continue patient care. The nonprofit health system said it did not discover any patient data stolen, according to an Oct. 30 hospital news release.
Crain’s reached out to Dickinson County CEO Chuck Nelson for an interview.
“We are treating this matter with the highest priority and are responding by using industry best practices while implementing aggressive protection measures,” Nelson said in a statement. “While we investigate, our top priority is maintaining our high standards for patient care throughout our system.”
The FBI said cybercriminals have been launching the attacks using a strain of ransomware known as Ryuk. So far, 59 U.S. health care providers or systems have been impacted by ransomware this year, disrupting patient care at up to 510 facilities, the FBI said.
In 2017, the WannaCry ransomware attack, believed to originate from North Korea, affected more than 300,000 people in more than 150 countries and caused widespread problems with the United Kingdom’s National Health Service.
Several Michigan businesses and local governments have been victims of cyberattacks, according to a Crain’s special report. For example, Brookside ENT and Hearing Center, a small physician practice in Battle Creek, was hacked in a ransomware attack in 2019. The practice’s computers were locked down, patient data and appointments frozen. The two doctor partners, including state Sen. John Bizon, M.D., refused to pay and closed their office.
Nowak said most cyberattacks come through emails where the ransomware is attached and can enter when a user clicks on a link.
“It looks like it’s supposed to come from any (legitimate company such as Federal Express or Microsoft) and they come all the time in different ways,” Nowak said. “If users don’t pay specific attention to what those what’s in those emails, when they click on those infected links, it will enter their network ID and password, and then the hacker will have that information.”
Once into a health care employee’s computer, Nowak said the virus “will try to map the system’s network, steal other passwords and infect the network very quickly.”
Nowak said the recent FBI warning was the first such alert where health care organizations were specifically targeted.
“Patient records are so much more valuable to the hackers than some of the other information” such as stealing someone’s credit card that can be canceled, he said.
Peters said hospitals have done a good job in recent years to harden their IT security infrastructure. He said alerts have gone out to employees to regularly change passwords and use multi-factor authentication.
In statements from Michigan Medicine and Henry Ford Health System and in an internal memo from Blue Cross Blue Shield of Michigan, cybersecurity officials say they have found no evidence of intrusions to their secure information systems.
“Our teams remain vigilant against any potential threats and will continue to follow best practices and work with our partners in law enforcement and other cybersecurity groups to keep our systems safe and secure,” according to Michigan Medicine, which is the health care entity of the University of Michigan.
Most hospitals and health insurers have issued alerts to employees and vendors to be careful about clicking suspicious emails.
“We are confident in the security of our information systems and have taken additional steps in the wake of this warning to protect patient confidentiality and prevent a breach,” John Gillespie, Henry Ford’s director of news content and media relations, said in an email.
“We encourage everyone, especially our team members, to be vigilant against phishing attacks, that have the potential to give cybercriminals access to their computer and potentially result in identity theft, financial loss and even ransomware,” Gillespie said.
Since Oct. 1, health care data breaches have impacted more than 54 hospitals, including McLaren Oakland and Michigan Medicine, the U.S. Department of Health and Human Services said. The McLaren and Michigan Medicine breaches were unauthorized access and disclosure and under investigation, the U.S. Office of Civil Rights said.
Like many other hospitals in Michigan, Henry Ford has been subject to lost patient data.
Since 2010, Henry Ford has reported four possible data breaches. Like others in health care, Henry Ford is required by federal privacy laws to report breaches and notify patients that their personal information may be used inappropriately.
Officials from Henry Ford have told Crain’s they have learned and improved from each incident, all of which have been caused by human error. One of the first changes the Detroit-based system made was to encrypt all its employee laptops and limit the use of flash drives, which are also encrypted in case they are stolen or lost.
For example, a Henry Ford employee opened an email in December 2017 and clicked on a link without realizing the email was part of a phishing attack. Because of Henry Ford’s security safeguards, the malware was contained and prevented from infecting the wider network.
Nowak said hospitals regularly conduct drills within their systems to look for vulnerabilities and also test their employees using fake ransomware.
What kind of damage can hospitals incur from a ransomware attack?
“The biggest loss would be the patient care if they have to close down the entire network and go back to paper,” Nowak said. “I am not even sure if they would be able to tell who has an appointment.”
In late October, three federal agencies advised health care organizations to have a contingency plan to transfer patients to another facility, one that might be outside of their market, to make sure the referring hospital is clear of problems.
“The FBI recommends against hospitals or anyone else for that matter of paying the ransom request,” Peters said. “The rationale for that is No. 1, there’s no guarantee that your payment of that ransom is going to fix the problem. No. 2, certainly that would encourage more bad behavior down the road, if we continue to pay these ransom requests.”
Peters said there’s a financial impact anytime a hospital has to shut down because of a ransomware breach.
Nowak said backup systems can help immensely if the main IT system is locked.
“If they are connected to the cloud, they’ll have a point that they can restore back there,” Nowak said. “Systems (restored) back to where they were before that happened without any of the ransomware on there, they’ll also most likely have to have cybersecurity experts come in and help them find how it got in where it was.”
Nowak said the average downtime after a ransomware attack is 15 days.
What steps are hospitals taking?
Peters said hospitals are identifying critical assets, like patient databases and medical records. They are creating backups of those systems and then implementing network segmentation to avoid a virus going from one area to another.
“From what we are hearing from our hospital leaders, they’re doing those things,” Peters said. “What gives us a little bit of confidence that we’re as well prepared as we can be …is ourown health care cybersecurity operations.”
To help health care organizations prevent attacks, the MHA helped create in 2018 the Michigan Healthcare Security Operations Center. The Plymouth-based Mi-HSOC is a cybersecurity membership group that shares best practices to prevent, detect, analyze and respond to cybersecurity events.
Members include Michigan Medicine in Ann Arbor, Beaumont Health based in Southfield and Munson Healthcare in Traverse City.
“We have daily meetings to go over the threats,” Nowak said. “We have some tasks that are automated, and we all share and collaborate on everything that we’re seeing across all of our environments.”
Nowak said the health systems don’t share IT or software systems.
“We’re all better together,” said Nowak, adding that none of the hospitals have been targeted the past two years. “It’s always good for us to help each other when we can.”