Jun 16, 2023 - Health

Hospitals could be one cyberattack away from closure

Illustration of a cursor arrow clicking the close button on a dialogue box top bar which is attached to the top of a hospital road sign

Illustration: Annelise Capossela/Axios

Cyberattacks against hospitals are taking a toll beyond patient safety and privacy: they're threatening to put the most financially vulnerable facilities out of business entirely.

Driving the news: The costs of recovering from a 2021 ransomware attack were too much for St. Margaret's Health in Spring Valley, Illinois, which is closing today.

  • Experts say it's an example of the potential financial toll of increasingly sophisticated attacks that have hijacked medical devices, taken websites offline and threatened health systems' financial ratings.
  • "The economic reality of small and rural hospitals is that their overall IT teams are likely to be small," Nate Couture, CISO of the University of Vermont Health Network, told Information Security Media Group.

Officials at St. Margaret's Health pointed to a 2021 cyberattack that took the hospital's computer systems down for at least 14 weeks, per NBC News.

  • It blocked the hospital and its clinics from being able to submit claims to private insurers, Medicare or Medicaid — and the problem snowballed from there.
  • "You're dead in the water," an administrator told NBC. "Then you’re trying to recover. Nothing went out. No claims. Nothing got entered. So it took months and months and months."

State of play: Elsewhere, billing remains "on hold" this week at Idaho Falls Community Hospital as it continues to recover from a May 30 "IT incident." With systems taken offline, it was forced to divert ambulances to nearby hospitals and temporarily close some of its clinics.

  • A medical center in Murfreesboro in Tennessee was forced to shut down operations for two weeks after an April attack. "I would not wish this on anybody,” the CEO of Murfreesboro Medical Clinic told WKRN.
  • The 722-bed Tallahassee Memorial HealthCare was shut down for a breach for two weeks in February, forcing the cancellation of elective surgeries and flooding the smaller neighboring Capital Hospital with transferred patients, the Tallahassee Democrat reported.

By the numbers: Health care organizations averaged 1,463 cyberattacks globally per week in 2022, up 74% compared with 2021, according to health care cybersecurity group Intraprise Health.

  • While some have built cyber defense into the cost of doing business, medical data breaches remain among the most expensive, averaging about $10.1 million each, Healthcare Dive reported from an IBM Security report.
  • For some, affording enough cyber insurance to mitigate the financial risk can be challenging, Rob Rosenzweig, a senior vice president and the National Cyber Risk practice leader at brokerage firm Risk Strategies, told Axios.
  • "There's a threshold where even what might be the right amount of insurance to help you manage what may be a catastrophic loss is unfortunately not commercially viable given the cost and budgetary constraints might be," he said.

Between the lines: Reimbursement is only one of the potential financial impacts of a cyberattack, said Matthew Cahill, a Moody's analyst.

  • "There's a lot of operational disruption and one-time costs as a result of cyber attacks," he said. That might include the expense of bringing in consultants to help address the breach, costs to update IT equipment, lost revenue from diverted business and potential lawsuits, Cahill said.
  • In one incident affecting a major health system, CommonSpirit reported earlier this year that an October breach cost it roughly $150 million from the expense to fix the problem and lost revenue. It was also hit with a class action lawsuit, Fierce Healthcare reported.
  • One of the most common varieties of attacks is ransomware which can lock up electronic health records, communications and test results. One such attack in 2020 on the University of Vermont medical center cost more than $50 million in damage, per ABC News.

What we're watching: Congress is eyeing the vulnerabilities of rural hospitals in particular. The Rural Hospital Cybersecurity Enhancement Act cleared the Senate Homeland Security and Governmental Affairs Committee this week.

  • The measure would require the Cybersecurity and Infrastructure Security Agency director to develop a rural hospital cybersecurity workforce strategy.

The bottom line: The ultimate concern is that patients could get harmed if they can't access timely care because a local hospital is suddenly unavailable.

  • "If there's no other facility nearby to absorb that volume, patient lives could be at risk here," Cahill said.
Go deeper