In mid-August, state officials in Connecticut began receiving worrisome complaints from constituents about a potentially dire situation unfolding at local hospitals.
One such message, from a woman on Facebook, relayed a desperate plea for help on behalf of her 71-year-old father, who, she claimed, had spent the last two days on a gurney in an emergency room hallway. The picture she painted — one that quicky caught the attention of state representatives and the state Department of Public Health — bordered on post-apocalyptic: an overrun department with doctors, nurses, and staff stretched beyond their capacity and patients unable to receive the attention or medication they needed.
Without enough rooms or beds to go around, patients on gurneys littered the hallways with some forced to sit on the floor. For many, including the woman’s father, who had been rushed to the hospital via ambulance with a broken hip, treatment was either delayed, inadequate, or both. Patients waited for days to be admitted, languishing in pain and without recourse.
“My dad was in the hallway of the ER for two days before he got a bed and there were so many people sitting on the floor and waiting for hours,” the woman wrote, searching for someone — anyone — with the ability to help. “Could there be any solutions to help this situation, like the National Guard or anything?”
INSIDE A RANSOMWARE NIGHTMARE
On the morning of August 3, 2023, a single ransomware attack crippled one of the nation’s largest healthcare networks, compromising the personal data of more than 190,000 individuals and interrupting patient care across five states. Upon noticing the breach, Prospect Medical Holdings — a for-profit medical holdings company that owns 16 hospitals and 165 outpatient facilities in California, Connecticut, Pennsylvania, Rhode Island, and Texas — quickly shut down its clinical operation services and took its IT systems offline.
It would take more than six weeks to restore them.
Shortly after the breach, the ransomware gang known as Rhysida claimed responsibility, alleging, in a listing on the dark web, to have stolen more than 500,000 Social Security numbers and photocopies of employees’ driver’s licenses and passports, along with other legal and financial documents. The veracity of that claim remains in question, but only in a splitting-hairs-kind-of-way. There’s no way around it, Prospect got pillaged. In a recent filing with the Office of the Maine Attorney General, it disclosed that the breach compromised the sensitive personal information of at least 190,492 individuals, including employees and patients.
While some pressing postmortem questions still remain — including exactly how Rhysida was able to infiltrate Prospect’s network (phishing attacks and Cobalt Strike malware are suspected) or if a ransom payment was, indeed, exchanged — one thing is clear: The reason why Prospect, and other healthcare organizations, are (and will continue to be) prime targets for this sort of attack.
The answer, as you’ll see, is, well, disheartening.
HEALTHCARE AND THE TARGET ON ITS BACK
Nearly three weeks before Rhysida claimed responsibility for the Prospect breach, the Department of Health and Human Services (HHS) issued a worldwide alert about the gang, claiming they were behind a string of recent attacks against other healthcare organizations. It was one of 13 threat alerts and nine briefs the HHS has issued so far in 2023 — a reflection of healthcare’s perpetual, ever-evolving battle with cybercrime.
Given the sheer volume of threats bearing down on today’s IT professionals and the rate at which new malicious actors pop up (with Rhysida being among the youngest, emerging in May 2023), it’s easy to see how notices like this can fall through the cracks, or simply be issued too late. For example, a recent report from Bloomberg noted that cyberattacks on hospitals in the United States have more than tripled over the last five years, putting immense pressure on an industry still struggling to recover from the COVID-19 pandemic.
In late June — more than a month before the attack on Prospect — John Riggi, the national advisor for cybersecurity and risk at the American Hospital Association, reported that health facilities had been hit with 226 digital incursions so far this year, impacting more than 36 million people. All told, healthcare organizations in the United States have suffered 5,478 data breaches since 2009, according to research done by Comparitech. By their estimates, these breaches have compromised nearly 423 million medical records and cost healthcare organizations over $39 billion from 2017 to July 2023 alone.
The unfortunate truth is, healthcare providers around the world have been plagued by cybercrime for decades now, with hackers aiming to exploit the high-stakes nature of their work for big payouts. Way back in 2016 — an IT eternity — Wired Magazine branded hospitals as the “perfect target” for cyberattacks like ransomware, an assertation that has not only proven to be true, but one that continues to snowball in the wrong direction.
According to the 2023 Cost of a Data Breach Report by IBM Security, cybercrime hits healthcare harder than any other industry. In 2022, the average healthcare breach cost $11 million, nearly double that of finance, the next-highest sector, at $5.9 million. But this is nothing new. Healthcare has held down the top spot in IBM’s report for 13 straight years. The more concerning trend is that healthcare has seen a 53 percent increase in the average cost per data breach since 2020. By comparison, the global average cost per breach across all sectors increased by just 15 percent over the same span.
BUT WHY?
It’s no secret that cybercrime, especially ransomware, is on the rise. This isn’t because tech-savvy troublemakers think it a fun hobby. It’s because it’s profitable — aggressively so.
Case in point: Cybercrime will cost the world an estimated $8 trillion USD in 2023 and as much as $10.5 trillion by 2025, according to Cybersecurity Ventures. By 2031, Cybersecurity Ventures expects the global cost of ransomware, the fastest-growing type of cybercrime, to exceed $265 billion. If measured as a country, the total damages pinned on cybercrime this year would account for the world’s third-largest economy, behind only the United States and China. Business, as they say, is booming.
But Healthcare, more than any other sector, is under siege. Why?
The answer is as unsurprising as it is simple. Just follow the money. While each cyberattack (and attacker) is unique, their endgame clearly isn’t: financial gain by any means necessary. And, unfortunately for those in healthcare, no other industry has consistently provided cybercriminals with more bang for their buck.
There are a few specific reasons why healthcare has proven particularly profitable for cybercriminals. First, healthcare systems are more likely to contain information with a higher “street value” than your average organization, such as patients’ protected health information and other valuable financial and personally identifying records. In fact, according to Riggi, stolen health records may sell up to 10 times higher than stolen credit card numbers on the dark web.
Additionally, healthcare providers are uniquely vulnerable to infiltration, with larger than average “attack surfaces,” or weak points for malicious actors to exploit. This is due to several inherent industry hazards, including third-party vendors, patient data practices, connected medical devices, supply chain issues, and outdated systems or software.
In the wake of the attack on Prospect, Riggi explained exactly this to The New York Times, saying:
“We’re relying more on cloud-based services, remote third parties. So, all of these things are done with good intention — ultimately to improve patient care and to save lives. But the unintended consequence of this is that it has expanded dramatically our digital attack surface.”
The final, and most insidious factor, is that cybercriminals tend to view healthcare providers as “soft targets.” In a recent blog post on cybercrime and healthcare, Soma Kancherla, senior solutions architect at VMware, explains what this means and why it makes cybercriminals so dangerous. He argues that, since cybercriminals know healthcare providers have a responsibility to keep patients alive and well, they are much more likely to receive consistent ransom payments. Basically, they are willing to exploit the very nature of healthcare as a weakness.
Like I said, disheartening.
THE TRUE COST OF CYBERCRIME
It’s been over two months since the Prospect ransomware attack, and it may take years, still, to fully realize the extent of the damage, both to its bottom line and its reputation. The immediate consequences, however, were dire: emergency rooms closed, ambulances diverted, and clinicians forced to revert to pen and paper processes.
The Connecticut Mirror recently published an in-depth accounting of the entire six-week ordeal, laying out in grim detail what life was like for patients, doctors, nurses, staff, and state officials as they scrambled to keep three local Prospect-owned hospitals running after the breach. According to their reporting, the effected hospitals and affiliated medical offices had to cancel nearly half of their elective procedures and at times couldn’t process X-rays or CT scans that are vital for treating potential stroke or heart attack victims.
Manchester Memorial Hospital was so crippled by the attack, according to the CT Mirror, that officials notified emergency services in eastern Connecticut they could not take patients, forcing crews to divert people to hospitals as far away as Massachusetts. And, at one point in August, state officials were so concerned about staffing issues at Waterbury Hospital they considered activating the volunteer Medical Reserve Corps, which had previously been done only during the height of COVID.
Cyberattacks on hospitals have been know to wreak such devastation that, recently, a team of researchers at UC San Diego concluded they “should be considered a regional disaster.” According to their research, which documented a ransomware attack on a neighboring hospital in 2021, the number of confirmed strokes nearly doubled in the wake of the breach, as did the number of patients who left altogether without seeing a doctor. The authors also found that, compared to the weeks prior, the hospital had nearly 600 additional patients waiting in the ER with the staff experiencing “serious resource constraints.”
Riggi agrees with this assessment, recently telling Chief Healthcare Executive:
“These are threat-to-life crimes. These are not data crimes. These are not white-collar crimes. And the adversaries have to understand, when we are diverting ambulances with stroke, heart attack and trauma patients, people’s lives are at risk.”
This is the rotten core at the center of it all. The fact is, when cybercriminals target healthcare systems, they are purposefully and willingly putting lives at risk. They do not consider interruptions to patient care a flaw to be avoided, or even regrettable collateral damage. It’s a feature — one that earns them quicker, more consistent payouts.
The ruthlessness of this equation cannot be understated nor ignored.
For healthcare systems, the true cost of cybercrime is — or at least should be — expressed, not solely in terms of downtime, data corruption, and dollars lost, but primarily in terms of impact on patients care. When critical IT systems go down at a hospital, like in the case of Prospect, patient care is interrupted — often for extended periods of time — and human lives hang in the balance. However unpleasant, this is the story we need to be telling with consistency. Healthcare organizations must begin to fully understand what they’re up against.
As we’ve seen, and will continue to see, a single attack can negatively impact much more than just the livelihoods of healthcare executives. It can can permanently alter the very real lives of the patients who trust them. The woman whose elderly father had to wait for days on a gurney in an ER hallway, for example, is just one of many to get caught in the crossfire. She’s still searching for answers.
“I just felt bad that we couldn’t do more to help him, and we couldn’t do more to get him the comfort he needed,” she said. “You feel very powerless when there’s nothing you can do. You’re sort of at the mercy of what else is happening.”