Nurses warn that a ransomware attack is harming hospital operations and endangering patients' lives.
"A nurse at Ascension Providence Rochester Hospital, a facility with 290 beds about 25 miles north of Detroit, expressed concerns over the dangerous conditions created by the current influx of patients due to the cyber attack that occurred on May 8th. The healthcare network overseen by this St. Louis-based non-profit, which manages hospitals in 19 states, is still trying to get its systems back online.
One anonymous nurse from a 409-bed Ascension hospital in Birmingham, Alabama, shared a similar sentiment, saying that without functioning computers, there are too many safety measures gone missing.
Anonymity was crucial for these nurses to maintain their jobs.
The ransomware attacks targeting US hospitals are sadly regular occurrences, with the FBI receiving reports of 249 such attacks last year, making health care provider the most affected sector. Patient records are compromised during these attacks.
This incident, however, stands out for raising new concerns regarding the potential dangers of these cybercriminals' malicious acts.
The two Ascension nurses recounted their experiences in separate discussions, highlighting the significant hurdles they faced in adapting to the sudden switch to paper-based records. They also felt let down by their hospitals' responses and worried about the potential for mistakes in manually entering important medical information.
"I don't have any orders in the computer," remarked the Michigan-based nurse, "I can't see what labs are ordered and their results".
The union representing nurses at the Rochester, Michigan hospital, OPEIU Local 40, stated in a released online petition on Friday that their members were deeply concerned about the current challenges posed by the cyberattack. They pressure the hospital to enact a series of remedial actions, including reducing the nurse-to-patient ratio.
Mac Walker, Ascension's media relations director, failed to answer CNN's inquiries regarding the petition and the nurses' concerns about safety. Instead, he provided this statement on May 11th: "Restoring EHR (electronic health records) access has been among our top priorities during the recovery process. With our teams' efforts, we have successfully restored EHR access in our first market and are currently progressing towards restoring access across our network on a rolling basis".
Walker did not provide any clarification about what was meant by "first market".
Ascension, the fourth-largest hospital network in the country, claimed in a public statement released on May 13th that they had been working "around the clock with industry-leading cybersecurity experts" to restore their operations.
In response to the Ascension hack and a second ransomware attack earlier this year that paralyzed pharmacies across the USA, Biden administration officials are planning on releasing a list of minimum cybersecurity requirements for US hospitals. However, experts point out that in light of the numerous complex challenges in the health sector, even this policy intervention will not be enough to fully protect hospitals from cybercriminals.
Senior officials from the White House and the Department of Health and Human Services have scheduled a meeting with cybersecurity executives from health organizations on May 18th to focus on better protecting hospitals against the looming threats of hackers.
Despite Ascension's claims of "appropriately prepared staff to maintain high-quality care," the nurses interviewed by CNN described the challenges faced as creating a strain on the hospital's resources. Without functioning computers, they are dealing with an uphill battle to keep the hospital functioning, with increased wait times and potential for fatal consequences."
Unmanageable Waiting Times for Lab Results
Ascension stated to the media that their staff was well-trained to ensure high-quality care despite the downtime caused by the attack. However, the nurses who spoke to CNN described the chaos they are dealing with due to the limitations imposed by the attack.
As the computers were offline, doctors had no choice but to write physical prescriptions for patients, leaving the nurses to manually enter these into a machine without any input from the local pharmacy.
"They have to put an override in there to get the medication out," said Dina Carlisle, the president of OPEIU Local 40, referring to the exceptionally long wait times they were facing for lab results.
This Alabama-based nurse explained that a "stat lab," or lab that handles tests for patient care decisions, with an average turnaround time of 30 minutes to an hour under normal conditions, took several hours due to the limits imposed by the downtime.
A Growing Concern for Hospitals
Ransomware attacks regularly cause ambulances to be redirected and medical appointments to be postponed, leading to added pressure on neighbouring hospitals to compensate for the disruption during the time of the attack. However, public confusion over how these attacks directly affect patient care weakens the necessary push for resolutions to the rising health sector cybersecurity issues.
Recent studies have began to quantify the lethality of these attacks, with a research team at the University of Minnesota School of Public Health finding that, during a ransomware attack, 4 out of every 100 hospitalized Medicare patients passing away in the hospital - a 10% increase on the approximate 3 out of 100 deaths experienced under normal circumstances.
Experts point out that one of the issues is hospitals not passing essential cybersecurity checks, while small clinics often lack the necessary resources to secure themselves. What sets them apart from other sectors is the vast amount of sensitive data they possess, making them a prime target for cyber attacks.
In just one year, the number of sensitive data records in the healthcare industry rose by an astonishing 63%, surpassing any other industry and exceeding the global average by over five times, as per a study by Rubrik.
In February, cybercriminals gained access to an unprotected server belonging to Change Healthcare, a massive insurance billing company processing roughly 15 billion healthcare transactions annually. The attack severed healthcare providers from billions of dollars in income, creating chaos in pharmacies nationwide.
Andrew Witty, the CEO of UnitedHealth Group, which owns Change Healthcare, issued a heartfelt apology during a congressional hearing, admitting to paying a $22 million ransom to the hackers to safeguard patient data. Although he couldn't specify the exact number, he estimated that about one-third of Americans could have had their personal information pilfered during the hack.
Sezaneh Seymour, the head of regulatory risk and policy at cyber insurance firm Coalition, shared her thoughts with CNN, highlighting the fact that they frequently reject healthcare organizations for reasons like unpatched vulnerabilities, misconfigurations, and inadequate use of multi-factor authentication—exactly the areas hackers exploit to gain entry. However, she clarified that her company had no firsthand knowledge of the Change Healthcare or Ascension ransomware incidents.
Given their low tolerance for downtime, healthcare providers are highly coveted targets for cyber extortionists.
“When we consider ransomware attacks, we look for entities that are particularly vulnerable, those who can't afford significant downtime, and those willing to pay a higher ransom since they cannot afford interruptions,” Bryan Vorndran, the FBI's senior-most cyber-focused official, explained.
Addressing the Ascension attack, Vorndran added, “Hospitals experience significant disruptions during prolonged downtime. As a result, such establishments often have a higher inclination to pay ransoms compared to sectors with less constrained operations.”
Read also:
- Telefónica targets market launch for hologram telephony
- vzbv: Internet companies continue to cheat despite ban
- Telefónica targets market launch for hologram telephony in 2026
- AI and climate in schools: how to keep lessons up to date
In the tech world, ransomware attacks on healthcare providers have become alarmingly common, with the FBI reporting 249 such incidents targeting US hospitals last year. The tech-savvy cybercriminals behind these attacks often demand hefty ransoms, exploiting the sector's high dependence on digital systems and sensitive data.
Recognizing the vulnerability of their sector, tech-focused businesses in the healthcare industry are increasingly investing in advanced cybersecurity measures to protect their critical systems and patient data. This heightened focus on tech security could potentially reduce the likelihood and impact of future ransomware attacks, ensuring business continuity and improving patient safety.
Source:
