INDIANAPOLIS — Over 25 hospitals and healthcare systems in Indiana have been attacked by hackers in recent years, and the numbers are not letting up.
In fact, they’re persistent, trying regularly to break into computer systems all around the state. The first attack happened to Hancock Health. Since that time, CEO Steve Long has taken it upon himself to share the experience with other hospital systems to try and get ahead of the hackers.
“It was a Thursday evening, and I was notified by our administrator that we began to see messages appearing on our computer screens,” Long said.
The year was 2018. Long admitted he was caught off guard.
“When this happens, you don’t know how to fix it, so you go out and get help,” Long said.
That help was a cyber security firm out of Indianapolis called Pondurance. That firm discovered how the hackers got in and essentially cleaned up the mess.
In this case, Long said the hackers did not want patient information. They only wanted money, specifically $55,000 paid in BitCoin.
The ensuing investigation found the hackers were headquartered thousands of miles away in Iran.
The Indiana Hospital Association says 26 other systems have experienced cyberattacks, including:
- 3 systems in St. Joseph County
- 1 system in Monroe County
- 9 systems in Marion County
- 2 systems in Elkhart County
- 1 system in Gibson County
- 1 system in Johnson County
- 1 system in Tippecanoe County
- 1 system in Cass County
- 1 system in Delaware County
- 1 system in Jefferson County
- 1 system in Wayne County
- 1 system in Hamilton County
- 1 system in Jackson County
- 2 systems in Lake County
Franciscan Health was hit a little over a year ago, and that time it wasn’t for money. Jay Bhat, the administrative director of information security for Franciscan Health, agreed to be interviewed about the attack.
“It was a cyber group associated with Russia, called ‘Killnet’,” Bhat said.”They are a political ‘hactivism’ group. One of our hospitals was doing a fundraising campaign providing supplies to Ukraine and that’s how we got on their list.”
Killnet shut down Franciscan’s web page for 3 hours. However, experts say hackers are capable of much more damage than that.
The CEO of Norton King’s Daughters’ Health, Carol Dozier, told reporters in a virtual news conference earlier this year that her whole hospital was affected by hackers.
“We had to shut down some of our services during that time because we could not run equipment, so that had a great impact,” Dozier said.
With the right password, hackers could get into the computers in emergency rooms and intensive care units. If they get unfettered access, these hackers can affect when medicines are given, how heart monitors send out alerts and whether ventilators used to keep a person alive will even work.
Dr. Matthew Surburg has written a book called “Cyberpocalypse: Inside the Digital Assault on Healthcare” that details the threat. Surburg worked at Hancock Health when that hospital was attacked.
“CT scanners, insulin pumps, cardiac devices and anything on the internet is now a potential point of entry, so they all need some sort of security,” Surburg said. “Hospital systems have come to realize it’s not if, but when they will be attacked. Many have taken the offensive and have taken steps to keep information and patients safe, including conducting drills and training staff, updating passwords, using Artificial Intelligence to search for patterns and using human surveillance to spot those who are trying to gain entrance.”
The Indiana Hospital Association weighed in on cyberattacks for this report.
“Indiana hospitals have taken a wide variety of measures, including implementing ‘hack’ labs to test medical devices before they are used for patient care, performing risk assessments annually to understand any critical vulnerabilities with these systems, and aligning their IT systems to key governance standards provided by the joint commission, Federal Emergency Management Agency (FEMA), Cybersecurity & Infrastructure Security Agency (CSA) and the US Department of Homeland Security. These protective measures come at a significant cost, and it is estimated that cyber risk insurance is a 6.5 billion dollar industry as more and more hospitals are reviewing their policies and increasing coverage.”Indiana Hospital Association
According to Modern Healthcare magazine, it can cost more than $4 million for an organization to recover from a single cyberattack. Additionally, a poll of 600 healthcare information technology professionals found nearly 90% of organizations had experienced at least one cyberattack in the past year.
Experts with the FBI said they are aware that even more problems are out there.
“People could actually die with these types of attacks,” former FBI agent Paul Keenan said. “It’s hugely important with hospitals. Private information could get out and be sold on the dark web, which is another reason these hackers do this. It could harm thousands of people, so yes, it’s a big deal.”
Several hospital systems address their cyberattacks on websites and online, including IU Health and Eskenazi.
The reality, Keenan said, is cyberattacks on hospitals is a business. He said hackers can actually buy or rent ransomware to encrypt systems and that hospitals have no other way to combat it than to stay one step ahead of these nefarious players.