(NewsNation) —A series of ransomware attacks targeting hospitals could be especially destabilizing for rural providers and their patients, whose alternatives are often limited.
Hospitals across the United States have been hit by ransomware attacks that have disrupted emergency operations, insurance billing and, in at least one case, pushed a struggling hospital to close its doors. Twenty-five U.S. health care systems with 290 hospitals were hit last year, according to numbers reported by the Associated Press. This year, at least 36 systems with 128 hospitals have been impacted.
It’s a crime that doesn’t discriminate by company size or location, said Jake Milstein, chief marketing officer at the cybersecurity company Critical Insight.For that reason, attacks that strike rural communities can be especially debilitating, leading to canceled appointments and longer commute times to other treatment providers — even during emergencies.
“I still talk to people who are like, ‘Oh, we’re too small. We’re in the middle of nowhere. They’ll never come for us,’” Milstein said. “That’s just not true.”
An Illinois hospital in June announced it would close its doors, citing a 2021 ransomware attack.
St. Margaret’s Health in Spring Valley was unable to submit claims to insurers, Medicare or Medicaid for months after the attack, which led to a financial spiral.
“Rural hospitals have been struggling throughout the nation and many have already closed,” Sister Suzanne Stahl, chair of the hospital’s parent organization SMP Health, told NewsNation’s Nick Smith in June when the closure was announced. “It has become impossible to sustain our ministry. This saddens us greatly.”
Hospitals in many rural areas are already stretched thin. Median operating margins among rural hospitals increased during the early stages of the COVID-19 pandemic, but have since fallen significantly, a February 2023 KFF analysis found.
Those numbers fell from 7.7% in July 2019-June 2022 to 3.3% in July 2021-June 2022.
“We’re not giving them the money they need to protect themselves against the criminals who are so well funded, they are funded by foreign governments,” Milstein said. “And I think we have to keep that in mind when our hospital gets hit by a cyberattack.”
Groups behind the ransomware attacks have been traced to places including North Korea, Russia and Iran, Milstein said.
In July 2022, the U.S. Cybersecurity Infrastructure and Security Agency (CISA) issued an advisory warning against North Korea state-sponsored attacks. The groups had been targeting health care groups since at least May 2021, according to the advisory.
New threats emerge frequently, and tackling them as a whole is a challenge. Meanwhile, hospitals are left to balance patient safety against system-wide data breaches.
Nashville, Tennessee-based Ardent Health Services, which operates 30 hospitals across six states, took its network offline after learning it was the victim of a ransomware attack in late November.
Facilities are rescheduling some non-emergency, elective procedures and diverting some emergency room patients to other area hospitals until systems are back online.
Last month, the U.S. Department of Health and Human Services warned the industry workers about a ransomware threat known as BlackSuit. Officials suspect the group is responsible for an October attack against an organization that provides medical scans and radiology services for nearly 1,000 hospitals in the U.S., according to CISA.
The impacted hospital groups shut down their computer systems and turned away patients.
BlackSuit is just one of countless ransomware groups posing a threat to hospitals and other industries, however.
Although the people behind the attacks are sometimes brought to justice, the groups can be hard to eliminate entirely. Once one gang is busted, members oftentimes break off into adjacent organizations with similar goals, Milstein said.
That goal, he underscored, isn’t to hijack patients’ medical history, but to hold it ransom for money. Medical records in particular contain more personal information like addresses, phone numbers, emergency names and contacts and insurance provider details, Milstein said.
“Every now and then it’s about disruption and nation-state terrorism, but most of the rural hospital attacks are really just about money,” Milstein said.
It can take months to get operations back up and running after an attack, but paying a ransom comes with major risks and no guarantees. It can make organizations a target for future attacks, and even once the money’s paid, victims don’t always see their systems restored.
“Again, it’s all money motivation,” Milstein said. “They are not money-motivated to help you decrypt the ransomware. They’re money-motivated to get you to pay the ransom because they encrypted your system.”
Milstein encouraged hospitals to align themselves with the National Institute of Standards and Technology’s cybersecurity framework to help prevent attacks, and teaming with an outside agency that can help with preparedness and response.
“Make sure you’re getting the outside help you need,” he said.