Just weeks after a report from the GOA stated that the “U.S. grid’s distribution systems—which carry electricity from transmission systems to consumers and are regulated primarily by states—are increasingly at risk from cyberattacks,” a major cyberattack has paralyzed hospitals and health care services in numerous states.
The attack has incited a challenging recovery process and has potentially life-threatening implications. In an era increasingly reliant on digital connectivity, this disturbing incident illustrates the critical threat that cyberattacks pose to healthcare systems and patient safety.
Prospect Medical Holdings, a healthcare company that manages hospitals and clinics across California, Texas, Connecticut, Rhode Island, and Pennsylvania, announced that its primary care services remained inaccessible on Friday, as security experts battled to contain and resolve the cyberattack’s effects.
John Riggi, the American Hospital Association’s national advisor for cybersecurity and risk, emphasized the severity of the situation. “These are threat-to-life crimes, which risk not only the safety of the patients within the hospital, but also risk the safety of the entire community that depends on the availability of that emergency department to be there,” Riggi said.
Prospect’s operations were abruptly halted when the cyberattack was discovered on Thursday. “Upon learning of this, we took our systems offline to protect them and launched an investigation with the help of third-party cybersecurity specialists,” the company said in a statement. As the situation continues to unfold, the organization is prioritizing patient needs while working to restore normal operations.
Connecticut experienced significant disruptions with the emergency departments at Manchester Memorial and Rockville General hospitals closing for much of Thursday. Consequently, patients were redirected to other local medical facilities. “We have a national Prospect team working and evaluating the impact of the attack on all of the organizations,” Jillian Menzel, chief operating officer for the Eastern Connecticut Health Network, said.
The FBI in Connecticut is cooperating with law enforcement partners and victim entities, albeit they remain reticent regarding the ongoing investigation.
An array of services, from elective surgeries to outpatient appointments and blood drives, was suspended. Despite emergency departments resuming operations late on Thursday, many primary care services remain shuttered, according to the Eastern Connecticut Health Network.
Waterbury Hospital, another facility in the Prospect network, resorted to manual procedures and paper records until the issue can be resolved, according to spokeswoman Lauresha Xhihani.
In Pennsylvania, the cyberattack disrupted services at several facilities, including the Crozer-Chester Medical Center, Taylor Hospital, Delaware County Memorial Hospital, and Springfield Hospital. Prospect’s seven California hospitals, spanning Los Angeles and Orange counties, were also potentially affected.
Healthcare systems have emerged as prime targets for cybercriminals, largely due to the wealth of sensitive patient data they house, such as medical histories, payment information, and even valuable research data. IBM’s annual report on data breaches revealed that the healthcare sector suffered the most cyberattacks globally in the year ending in March, with the average cost of each breach estimated at a staggering $11 million.
Though hospitals are constantly working to implement better security measures and backup systems to mitigate and respond to such attacks, Riggi stressed that total safety is virtually impossible. The necessity for network-connected technologies in modern healthcare increases the ‘digital attack surface,’ rendering healthcare systems particularly vulnerable to cyberattacks.
As we navigate an increasingly interconnected world, it is imperative that we address the growing threat of cyberattacks on our critical infrastructure, especially in the healthcare sector where the stakes are a matter of life and death.