Ransomware, Incident Response

Sanford Health, Eskenazi Health recovering from cyberattacks in EHR downtime

Cyberattacks on Sanford Health in South Dakota and Eskenazi Health drove the providers into EHR downtime procedures, with one diverting care to local hospitals. ("Emergency Room Entrance - ER - Hospital" by weiss_paarz_photos is licensed under CC BY-SA 2.0)

Cyberattacks on two U.S. health systems have forced the providers into electronic health record (EHR) downtime procedures: Sanford Health in South Dakota and Eskenazi Health in Indianapolis, according to multiple local news outlets and statements from the health systems.

What’s being reported as a ransomware attack on Eskenazi Health began in the early hours of Aug. 4, which led to the response team shutting down the IT network out of an abundance of caution to prevent the attack from spreading and to protect patient safety.

Officials said that their previously implemented monitoring tools functioned as planned, which enabled the security team to swiftly detect and respond to the intrusion. All health system locations have been affected by the incident. However, officials stressed the incident is in no way affecting patients in current treatment at Eskenazi Health.

Ambulances are being diverted to nearby hospitals as the provider is operating under EHR downtime procedures. A hospital spokesperson confirmed the attack, noting the response team is working to bring each system back online “with a high level of due diligence to analyze all systems” before powering on the devices.

As of Wednesday evening, ambulances were still being diverted. For now, the investigation has not found evidence of data compromise. At the time of publication, the Eskenazi website was down, as well.

Meanwhile, Sanford Health is also “taking aggressive measures to contain the impact” of an ongoing cybersecurity incident that struck the health system on Aug. 4. Sanford Health is one of the largest health systems in the region, with 46 hospitals, 224 clinics, 233 senior living communities, and 158 skilled nursing and rehabilitation facilities.

The provider is working closely with a third-party IT security team and has notified federal law enforcement. It’s unclear what caused the incident and whether it was tied to ransomware.

For now, details on the ongoing network outage are sparse, but a statement from Bill Gassen, Sanford Health CEO and president, stressed that "providing patients with exceptional care is our top priority, and we are doing everything possible to minimize disruption."

The investigation has not found evidence that patient, employee, financial, or other data has been compromised.

According to Emsisoft Threat Analyst Brett Callow, if ransomware is confirmed by Sanford Health, the Eskenazi and Sanford incidents mark the 35th and 36th providers to be hit with the encrypting virus so far this year. Among the impacted, 18 health-care entities have seen their data exfiltrated and publicly leaked.

For comparison, Emsisoft data show at least 80 providers and health systems were hit with ransomware in 2020, disrupting care at more than 560 care sites. Among those impacted, 12 saw their data leaked online after the attack.

In the last two months, ransomware hacking groups have leaked troves of stolen data from Homewood Health, Goetze Dental, Care Fertility, Jefferson Health, and the University Medical Center of Southern Nevada, among others.

The recently released CynergisTek report spotlighted the ongoing, uphill battle the sector is facing with ransomware: “COVID-19 inspired hackers to pursue ransomware as companies rushed to digitize without adequate security measures, creating more extortion targets.”

Data show there was a 435% increase in ransomware from 2019 to 2020. These attacks can cause millions in damages and care delays, as seen in the recent attacks and recovery efforts at the Ireland Health Service Executive and even the late 2020 attack on Universal Health Service. The UHS incident cost $67 million in lost revenue and recovery efforts.

As recently noted by Christian Dameff, M.D., an emergency room physician at the University of California San Diego, outages caused by cyber incidents can leave area hospitals overcrowded, due to the influx of patients diverted from the downed hospital. UCSD Health saw an influx of patients during the month-long network outages at nearby Scripps Health after a cyberattack in May 2021.

And when multiple hospitals are affected, the impact is much greater. Rural health entities can also face an increased risk to patient safety, when ambulances are diverted and need to transport patients for longer distances when nearby hospitals are overwhelmed or there are no other local care sites.

“Repeated warnings around best practices for ransomware attacks always include backups of information — they are conducted, maintained, and tested,” CynergisTek researchers explained. “Considering those warnings and the uptick in ransomware and in health care specifically, this may be telling in terms of why so much ransom is paid.”

“As a sector, we do better at protecting the physical operating environment for organizational assets than we do with data,” they added. “Going forward, it’s clear this isn’t the right time to cut back on cybersecurity, and smart spending will be necessary to secure organizations against a rising tide of ransomware threats.”

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.