A ransomware attack late last week on Los Angeles-based Prospect Medical Holdings spread to hospitals in at least four other states before the healthcare group took its systems offline to prevent any further spread.
The attack hit hospitals and medical facilities at Prospect Medical Holdings affiliates in Connecticut, Pennsylvania, Rhode Island and Texas.
Officials with Prospect Medical affiliate Crozer Health Network in Pennsylvania said impacted hospitals included Crozer-Chester Medical Center, Taylor Hospital, Delaware County Memorial Hospital and Springfield Hospital.
CBS News reported that officials at the hospital in Springfield said the hospital had reverted to a paper system because most of the computers are offline and are not expected to come back online until later this week. CBS also reported that two hospitals in Rhode Island — Roger Williams Medical Center and Our Lady of Fatima — were also hit.
In a Facebook post, Waterbury Health in Waterbury, Conn., said it had experienced a data security incident that disrupted its operations. Upon learning of the incident, all systems were taken offline to protect them and an investigation was launched with the help of cybersecurity specialists.
“Waterbury Health network continues to serve patients at all its locations using downtime procedures, but a few of its outpatient services have been affected, including outpatient blood draw and diagnostic imaging services which were not available Friday and Saturday,” said Waterbury Health.
Industry analysts said this latest attack mirrored the attack last fall on CommonSpirit Health in which the corporate entity was attacked in an attempt to infiltrate the corporate network and spread to affiliates. In both cases, cybersecurity officials took the networks offline to prevent any further spread — a common tactic among cyber defenders.
“Shutting off systems and networks helps prevent spread of the attack,” said Will Long, chief security officer at First Health Advisory. "However, it does not limit the other impacts on the healthcare community."
Long said when a healthcare system or facility is impacted in a community, patients are diverted to other facilities. The neighboring systems can feel the impact of the initial cyberattack, even when they might not be directly affected, said Long.
“The extra load created when healthcare facilities are taken offline, or even rendered with limited access, can have a serious impact on the healthcare delivery communities, on the whole,” said Long. “Shutting systems down, moving to paper, restoring systems, partial outages, disruptions, or any other delays all cause patient safety risks in healthcare.”
Healthcare a popular industry for attackers to target
Shawn Surber, senior director and healthcare strategist at Tanium, said the healthcare industry has long been a target for cyberattackers because of the critical nature of their operations and the high level of legacy equipment and procedures.
Surber said there was a time when malicious actors would “take it easy” on healthcare providers: for example, the Irish National Health Service was given the decryption key for free, but its data was still held and ransomed for $20 million.
“In the last couple of years, that type of behavior has changed and more healthcare accounts are coming under full attack,” said Surber. “Unfortunately, their infrastructure remains weaker and less cohesive than that of other industries. Add to that the accelerating mergers and acquisitions process in order to keep health systems afloat, and it's become the perfect hunting ground for malicious attackers.”
Randy Watkins, CTO at Critical Start, said that attackers target patient care centers with ransomware to disrupt operations and put patient lives at risk unless the ransom is met. Watkins said unfortunately, medical provider security teams are often under-resourced, making them more susceptible to attacks that fly under the radar using live-off-the-land binaries.
“To mitigate the probability and impact of a potential breach, hospitals should align with industry frameworks to create a holistic view of their cyber risk, and deploy both proactive and reactive security controls,” said Watkins.