A cyberattack disrupted service at an Ohio hospital
by Kapua Iao
A November 11 cyberattack disrupted service at Southern Ohio Medical Center (SOMC), a not-for-profit hospital in Portsmouth, Ohio.
Such cyberattacks are an increasing problem within the healthcare industry. Moreover, they demonstrate why it is vital for healthcare providers to be HIPAA compliant and utilize strong cybersecurity measures.
SEE ALSO: HIPAA compliant email
If a data breach transpires, covered entities may face stolen protected health information (PHI), a ransom demand, and angry patients. Some may also face overwhelming problems including shut-down services and closure.
According to a November 11 SOMC Facebook post “An unauthorized third-party gained access to SOMC’s computer servers in what appears to be a targeted cyber attack.”
The breach forced the hospital into electronic health record (EHR) downtime procedures. For most organizations, this means reverting to note-taking using pen and paper. And unfortunately, it could also mean limited access to PHI and therefore interrupted patient care.
Patients also reported that the SOMC patient portal was down, which meant no patient access to personal EHR.
After detecting the breach, the hospital diverted ambulances although the ER remained open for non-ambulance issues. Individual departments evaluated when and how they can reopen. In fact, several subsequent SOMC Facebook posts note canceled appointments at least through November 19.
Within its statement, SOMC added that the hospital is working with federal law enforcement to investigate. No other information has been released.
Why SOMC? Why healthcare?
Healthcare organizations are vulnerable and susceptible to cyberattacks for a variety of reasons:
- Wealth of valuable data
- More likely to pay a ransom
- Numerous and vulnerable attack surfaces
- Untrained, tired employees
- Lax cybersecurity
What’s more, cyberattacks intensified during the COVID-19 pandemic as threat actors took advantage of the move toward remote work. And the deluge of attacks only continues—especially ransomware attacks on healthcare providers.
At least 50% of all healthcare breaches are caused by ransomware attacks because of the prospect of making money off a ransom or PHI sold on the black market.
RELATED: Nations pledge to combat ransomware
We do not yet know the how or why of the SOMC attack; more than likely, it was an easy target.
The cost of a cyberattack
No matter the reason for a cyberattack, the consequences can be severe for healthcare professionals.
Organizations may have to pay a hefty ransom to restore a network, retrieve PHI, or keep patient information from being publicly released. There is even a risk of patients suing for not protecting PHI.
Furthermore, covered entities also have to deal with the U.S. Department of Health and Human Services and HIPAA compliance. They may face a HIPAA investigation and violation as well as a hefty fine and a corrective action plan.
Finally, one of the biggest concerns is downtime and disruption to service, as is the case with SOMC. Research shows that organizations face an average of 19 days of downtime after a ransomware attack.
Be proactive and practice cyber resilience
Rather than deal with the fallout from a cyberattack and disrupted service, healthcare organizations must take a proactive approach to cybersecurity. It is important to secure a network and all threat vectors (i.e., access points) before a breach occurs.
U.S. cybersecurity and governmental agencies have released guidance addressing cyber resilience, believing a solid response is key to blocking a data breach.
Generally, a strong approach includes cybersecurity layers, such as:
- Consistent policies and procedures
- Strong technical and physical access controls
- Patched and/or updated legacy systems
- Regular employee awareness training
- Email security (i.e., HIPAA compliant email)
- Clear recovery and backup plans
The SOMC and other recent incidences serve as an important reminder to healthcare organizations to have solid cyber hygiene. This means continuously evaluating existing systems and proactively protecting vulnerable attack surfaces.
Having a strong cybersecurity plan in place is the only way to protect patients and their PHI.