It was approaching midnight on Sunday and the head of IT at a Florida hospital had a problem.
The emergency room of Jackson Hospital, a 100-bed facility on Florida’s panhandle, called to report that it couldn’t connect to the charting system that doctors use to look up patients’ medical histories. Jamie Hussey, Jackson Hospital’s IT director, soon realized that the charting software, which was maintained by an outside vendor, was infected with ransomware and that he didn’t have much time to keep the computer virus from spreading.
The hospital shut down its computer systems on his advice.
“If we hadn’t stopped it, it probably would’ve spread out through the entire hospital,” Hussey said. Hospital staff ditched the electronic records and reverted to pen and paper to keep the hospital running and organized, he said, but patient care wasn’t disrupted.
As Hussey spoke to CNN Tuesday, the hospital’s IT systems were gradually coming online, and he was expecting phone calls from the FBI (which investigates hacking incidents) and Aon, a cybersecurity consultancy that Hussey said was supporting the recovery. He was trying to figure out if the hackers had stolen any hospital data, and if they might need to be paid off to get it back.
The damage could’ve been far worse.
Jackson Hospital is just one of several dozen health care organizations across the US that have had to battle ransomware attacks since the coronavirus pandemic began. The disruptions have cost the sector millions of dollars and prompted urgent calls to hospitals from federal officials to be wary of cybercriminal groups.
One suspected ransomware attack in October 2020 forced the University of Vermont to delay chemotherapy appointments, while another in August 2021 prompted the emergency room at Memorial Health System in Ohio to divert patients to other facilities.
In the early minutes and hours of a ransomware attack, hospital cybersecurity teams are on the front lines of the response; help from federal agencies like the FBI might come later.
Yet hospitals don’t often publicly discuss how quick thinking and preemptive action can be the difference between containing a hack and having it spiral out of control. For Hussey, it has meant minimal sleep since Sunday, and the weight of a 600-person staff at Jackson depending on his IT team of about a dozen to get hospital computers up and running again.
“The new guy I just hired is a cybersecurity graduate, so we broke him in really early,” he quipped.
A gradual recovery
Though Hussey’s team acted quickly, Jackson Hospital’s IT systems haven’t come away completely unscathed.
The emergency room’s charting system could be offline for the rest of the week, he said. (Doctors have been getting ER patient records from other parts of the hospital network).
The entire hospital had to temporarily switch to what medical professionals call “downtime procedures” — contingency plans after Hussey’s team shut computers down. For several hours, things like physician notes and prescriptions for patients were processed by hand.
The attackers also encrypted a computer server that Jackson Hospital uses to store non-critical organizational documents. Hussey was trying to figure out if there was anything in those files that contained data on Jackson patients and, if so, if the hospital should pay a ransom to get them back (he said he wasn’t aware of any ransom demand from the hackers).
The ransomware that Hussey’s team found on the charting system is known as Mespinoza and has racked up 190 victim organizations worldwide across various industries, including several in health care, according to a Department of Health and Human Services advisory on the group last week.
The hacking group is just one of several that haven’t refrained from hitting health care organizations during the pandemic. A study last year by the US Cybersecurity and Infrastructure Security Agency found that ransomware attacks can “lead to significant and sustained” strain on hospitals already reeling from a flood of coronavirus patients.
Allan Liska, senior threat intelligence at cybersecurity firm Recorded Future, said there were 134 publicly reported ransomware incidents involving health care organizations in 2021, up from his 2020 tally of 106 incidents.
But many ransomware attacks don’t make the news.
“I’ve worked with a number of healthcare providers recently that have managed to stop a ransomware attack during the reconnaissance stage,” Liska told CNN. “Sharing this information helps other organizations better understand what they should be looking for and developing better strategies for stopping ransomware.”
‘Lock it down and piss people off’
The recovery process at Jackson Hospital has been meticulous to ensure that malicious code isn’t lingering in some neglected part of the network.
Hussey’s team went down the list of computer systems across the hospital, starting with the most critical, and made sure they weren’t infected with ransomware. They physically disconnected the hospital’s electronic health records system from the rest of the computer network to check them for malicious code before reconnecting to the system.
By Wednesday, hospital computers were back online except for the charting systems used by the ER.
Hussey said the decision to shut computer networks down may not be popular with some hospital staff, “but it’s better to be down a day than be down a month.”
“Lock it down and piss people off,” Hussey, who has worked at Jackson for over 25 years, said in a Southern drawl. “It’s what you have to do just to secure your network.”