Hackers have thrown several hospitals around the country into chaos the past few days, as a healthcare ransomware attack has hit yet another big health system.
Culver City, Calif.-based Prospect Medical Holdings, a private equity-backed owner of 16 hospitals around the U.S., experienced a cyberattack Aug. 3, causing emergency departments to close, ambulances to be diverted, and other medical services to cease operations.
"Large health systems are big targets because they are quite complex companies that are well known for being a heterogeneous mix of new and old technologies, with layers of distributed support, and all in the context of critical digital service delivery," Jack Kufahl, chief information security officer of Ann Arbor-based Michigan Medicine, told Becker's. "That nature isn't going to change anytime soon. If anything, with the spate of sector mergers, the technological environment is going to be more complex as systems figure out how to integrate while continuing to provide ongoing healthcare delivery."
A recent University of Texas at Dallas study found that merging hospitals are particularly vulnerable to cyberattacks in the two-year window when the transaction is taking place.
With big health systems, "there are a lot of hands in the cookie jar" with all the internal and external IT access points, leaving more avenues for hackers to exploit, said Steven Ramirez, chief information security and technology officer of Reno, Nev.-based Renown Health.
He said many health systems also have legacy hardware and software systems, known in the industry as "technical debt," which only increases in the wake of mergers and acquisitions.
In 2022, Chicago-based CommonSpirit Health similarly fell victim to a ransomware attack — albeit on a larger scale — that disrupted operations at many of its more than 140 hospitals around the country.
"Hospitals are vulnerable because the medical systems used to treat patients aren't always given the priority for security updates from the medical device manufacturers nor the staff that support these medical systems," said Jeffrey Vinson, senior vice president and chief cyber and information security officer of Bellaire, Texas-based Harris Health System. "Healthcare systems and hospitals need to make cybersecurity a priority and understand that cybersecurity and patient care are uniquely intertwined, now and for the foreseeable future, in order to protect themselves."
Prospect Medical said in an Aug. 7 statement to Becker's that its IT teams "are working around the clock to securely restore access to our systems as quickly and as safely as possible, and in a manner that prioritizes our ability to provide patient care."
"While this incident has resulted in operational disruptions at our hospitals and affiliated providers, our clinical staff are trained to provide care in these types of situations," the health system said. "PMH physicians, nurses and staff are implementing workarounds to help mitigate any disruption and provide uninterrupted care to our patients."
Esmond Kane, information security chief of Dallas-based Steward Health Care, said it's a challenging time for CIOs, CFOs and CISOs to deal with cybersecurity, what with "stagnating budgets, an unprecedented talent marketplace, and increasingly industrialized cyber-crime."
"Big health systems solve for big problems — they're on a digital transformation journey to improve patient health and to remain competitive in these uncertain times," he said. "Ransomware actors contribute to that uncertainty. It's to their benefit to disrupt operations and spread confusion."
If health systems don't have centralized security programs or accurate inventory of vulnerable devices, their ability to stay secure is much more difficult than smaller organizations with fewer devices, said E'Jaaz Ali, CISO of Oakland, Calif.-based Alameda Health System.
Hackers also understand that health systems desperate to restore patient care and IT systems might be willing to pay ransom, said Anahi Santiago, CISO of Newark, Del.-based ChristianaCare.
"Unfortunately, many of the organizations that fall victim to ransomware could have avoided the attack by employing basic hygiene. Often the attacks leverage a vulnerability that could have been mitigated prior to the attack — that is not to say that this happens in every case," she said. "Patch and vulnerability management practices should be employed across the organization and serve as core components in any cybersecurity program."