Cyberattacks can cripple hospitals and boost mortality rates; regulators are taking notice
Cyberattacks can disrupt life-sustaining hospital procedures. Credit: Newsday/Jeffrey Basinger
Long Island hospitals may soon need to comply with a new type of hygiene standards — cybersecurity ones.
Hackers have been breaking into hospitals' information systems in New York and other states, slowing clinicians’ communications with labs, pharmacists and insurers, forcing ambulances to reroute and delaying treatment for those in acute distress.
Cyberattacks are not known to have disrupted clinical care at Long Island hospitals, but major health systems here declined requests to discuss the issue or to detail their experiences, with some citing concerns about raising their profile as potential targets.
Few reliable data sources exist on cyberattacks. Federal guidelines have historically focused on protecting privacy and alerting patients when there are lapses in safeguarding their information, said health-sector cyber experts. Organizations have to report data breaches, but don't have to specify when incidents involve hackers demanding or receiving a ransom.
In recent years, hospitals have generally grown more resilient and managed to recover from ransom attacks without paying assailants, according to John Riggi, an FBI veteran now advising the American Hospital Association trade group on cybersecurity. He estimates that 25% to 30% of hospitals now pay ransoms, compared with more than half a few years ago.
Still, the severity of incursions pushed Congress to enact a measure that will eventually require disclosure of ransom payments and convinced regulators that it is time to shore up the sector. Hospitals can face several attacks a day, many from organized groups in countries where American authorities cannot easily pursue bad actors, cybersecurity experts said. Although just a fraction of attempts succeed, intrusions can disrupt operations and delay care enough to increase mortality rates, research shows.
Attacks have become so prolific that the state Department of Health wrote in a memo that it responded to more than one cyber incident a month in 2023, but wouldn't provide details.
Now, the department wants to establish cybersecurity rules for hospitals and get their governing boards involved with the issue. The federal government has also announced plans to draft digital safety standards for health providers.
Hackers set their sights on hospitals because they’re believed to be likelier to pay ransoms if lifesaving care is at risk, experts said. They are also highly regulated and have caches of data subject to privacy regulations. The broader health industry has suffered the most expensive data breaches — costing an average of $10.93 million each — for more than a dozen consecutive years, according to a 2023 report from IBM, which looked at more than 550 organizations in various sectors that had data compromised between March 2022 and March 2023.
In ransomware attacks — which became more common in recent years — hackers get into an organization’s network and block access to the system, often by encrypting — or rendering indecipherable — the information it contains, said Dr. Jeffrey Tully, an anesthesiologist and co-director of the Center for Healthcare Cybersecurity at the University of California San Diego. The hackers then hold the material ransom until the victims send a payment, typically in cryptocurrency.
“Almost on a weekly basis, we hear about one of these incidents,” Tully said.
At least 141 hospitals were impacted by ransomware attacks in 2023, among more than 2,200 schools, governments and public institutions, according to a report from Emsisoft, an anti-malware company based in New Zealand.
The state Department of Health said it couldn’t provide data on cyberattacks because it's not always notified about incidents, but the national tally includes some facilities in New York.
Richmond University Medical Center on Staten Island had to assign nurses to monitor patients during an attack, according to news reports. Ambulances were diverted from HealthAlliance Hospital in Kingston, Margaretville Hospital in the Catskills as well as the Carthage Area Hospital and Claxton-Hepburn Medical Center upstate this fall, according to news reports. The CEO of the latter two institutions, Rich Duvall, has said his team defied ransom demands.
The digital strikes can bring dire consequences. In-hospital morbidity rates are estimated to increase more than 20% for patients who are hospitalized at the time of an attack compared with the preceding weeks, according to an analysis of intrusions between 2016 and 2021 conducted by researchers at the University of Minnesota. Outcomes may worsen because staff can't operate as efficiently, patients can't be treated as quickly and clinicians may not have access to the most precise tools, such as quality imaging technology to guide emergency care, experts said.
Operations at nearby hospitals also suffer, according to research Tully published. These facilities often see an influx of patients, so wait times and delays may rise, Tully said. People in the midst of heart attacks, strokes or other time-sensitive crises may need to travel further in ambulances and, consequently, have worse outcomes, health experts said.
Even an intrusion at a service provider can cause issues. An attack on Change Healthcare, a billing system, has prevented hospitals, clinics and pharmacies from verifying insurance information and made it difficult for them to get paid. Some patients have struggled to pay for drugs out-of-pocket.
“You don’t have to be the one hit by the missile,” said Joshua Corman, who was chief strategist of the federal Cybersecurity and Infrastructure Security Agency's COVID task force, which focused on supporting hospitals during the pandemic when ransomware attacks spiked. “You just have to be in the blast radius to take the blow,” he said.
Long after normal operations have resumed, cyberattacks can leave hospitals financially reeling. Many don’t have the margins to sustain breaks in their billing, with one hospital in Spring Valley, Illinois, hospital saying a cyberattack contributed to its permanent closure, according to Corman.
For decades, hospitals have been prepared to go on “downtime” or revert to paper records and traditional methodology when technology malfunctions, said Dr. Eugene Heslin, chief medical officer for the state Department of Health. Clinicians are equipped to do things the old-fashioned way.
But downtime operations take longer and require more staff. Getting medication sent up from the pharmacy suddenly requires a doctor to write a prescription by hand, a clerk to fax it to the pharmacy, and staff there to manually review the order for interactions with patient’s existing prescriptions, he said.
Similar challenges may exist in exchanging information with external partners like labs, imaging centers and insurers, Heslin noted.
Medical administrators may ask the state to put them on diversion — that is, have ambulances take patients to alternative hospitals. Rerouting acute patients becomes paramount if clinicians are confronted with obstacles that degrade the quality of care they can provide. For instance, diversion may make sense if staff can’t receive X-ray images digitally and zero in on areas of concern, but instead have one static image to work with, Heslin said.
Hospitals and the state improved their ability to handle regional disruptions during the COVID-19 pandemic, Heslin said. The state started a surge-and-flex system, which moved patients to facilities best equipped to handle them, marshaled extra ambulances and directed resources where they were needed.
Now, the department wants notice within two hours of hospitals uncovering a cybersecurity incident when intruders gain unauthorized access to its information system and the incident is likely to hinder normal operations. It has drafted rules that would elevate cybersecurity measures and contingency operation plans to the desk of hospital executives for approval.
Each hospital’s governing body would have to annually review how its cybersecurity policies are working and could be improved, informed by penetration testing, where an expert attempts to break into hospitals’ systems to pinpoint vulnerabilities.
Hospitals would need to tap a chief information security officer to spearhead their cyber strategy, including verification that software systems and third-party vendors meet minimum standards.
The measures have been already put before the public for comment and could be approved at any point. The health department estimates meeting the standards will initially cost up to $10 million per hospital depending on its size and cybersecurity system. Annual upgrades may require up to $2 million, according to the department, which said grants are available to help health systems do upgrades.
A federal agency charged with setting health policy, the U.S. Department of Health and Human Services, announced it would propose enforceable cybersecurity standards tied to the public health programs Medicare and Medicaid. This spring, HHS wants to start updating the Health Insurance Portability and Accountability Act — a rule that obligates health providers and their business partners to protect patient data.
The state's guidelines would give hospitals a checklist to run through for years to come when they integrate new clinical and IT advances into their operations, said Dr. Gerald Kelly, chief information officer and a physician at Stony Brook Medicine.
“It’s important to have a road map,” he said. “In some ways, it even helps folks communicate with their institution to make sure they’re investing in things.”
Stony Brook Medicine routinely updates cybersecurity policies, revisits contingency plans and conducts drills on operating during an emergency, Kelly said.
But training has perhaps been the top priority. Attacks are constant and bad actors can exploit something as simple as a distracted employee clicking on an attachment from an email address impersonating someone in their professional network, said Andy Hoffman, chief information security officer at the health system.
“No matter how much money, no matter how much you put out there, if you’re on the grid, if you’re on the net, you’re always going to be attacked,” Hoffman said. “We do take this very, very seriously.”
Stony Brook Medicine executives declined to say whether any attacks had been successful in recent years.
Researchers haven't found a significant difference in how sophisticated the IT systems were at hospitals breached by hackers and other hospitals, according to an analysis from University of Minnesota School academics. Facilities that suffered intrusions tended to be larger, have a higher net operating revenue and offer trauma, emergency and obstetric care services, according to a review of attacks from 2016 to 2021.
Other major hospital systems on Long Island, including Northwell Health, Catholic Health and NYU Langone declined or did not respond to interview requests. Northwell patient data was exposed in an attack on a medical transcript provider’s system, and a group administering benefits for Catholic Health employees had a breach that may have exposed emails, the health systems said. The breaches didn't impact their operations, they've said.
Many of the protocols put forward by the state are already enacted at hospitals in New York, said Thomas Hallisey, director of digital health for the Healthcare Association of New York State, a trade group for hospitals and other providers. Still, some requirements could be a bigger lift, particularly for hospitals with a tight budget, he said. Having to vet the security of third-party apps and partners would be particularly challenging, according to Hallisey.
But he believes these sorts of organizations will become directly responsible for their products' security once the federal government takes action. So he is mostly concerned that the two governments' frameworks work in tandem.
“Any duplication of effort or extra effort to meet two separate rules would be time spent with valuable resources that is no longer improving security, but meeting rules,” Hallisey said.
The state Department of Health said it is reviewing feedback on its proposal and working aggressively to establish regulations. Its team stays on top of federal policies and any related guidance from Washington will be reflected in the state's standards, DOH said.
Hospitals are concerned the federal government will make meeting its standards a condition of participating in Medicare and Medicaid, a key revenue source for most hospitals, according to Riggi, from the American Hospital Association. He said that's too harsh of a punishment.
HHS didn't directly respond to questions from Newsday.
Still, others stressed it is crucial to concentrate on raising hospital standards, specifically on lifesaving backup protocols.
“When you're already a financially distressed hospital, you can't afford to spend money on something that doesn't actually protect you,” Corman said.
Long Island hospitals may soon need to comply with a new type of hygiene standards — cybersecurity ones.
Hackers have been breaking into hospitals' information systems in New York and other states, slowing clinicians’ communications with labs, pharmacists and insurers, forcing ambulances to reroute and delaying treatment for those in acute distress.
Cyberattacks are not known to have disrupted clinical care at Long Island hospitals, but major health systems here declined requests to discuss the issue or to detail their experiences, with some citing concerns about raising their profile as potential targets.
Few reliable data sources exist on cyberattacks. Federal guidelines have historically focused on protecting privacy and alerting patients when there are lapses in safeguarding their information, said health-sector cyber experts. Organizations have to report data breaches, but don't have to specify when incidents involve hackers demanding or receiving a ransom.
What to know:
- Hospital care has been disrupted in New York State and the broader U.S. by cyberattacks.
- Mortality rates rise when a hospital is under attack, research shows.
- Cybersecurity standards are in the works at both the state and federal level.
In recent years, hospitals have generally grown more resilient and managed to recover from ransom attacks without paying assailants, according to John Riggi, an FBI veteran now advising the American Hospital Association trade group on cybersecurity. He estimates that 25% to 30% of hospitals now pay ransoms, compared with more than half a few years ago.
John Riggi, a cybersecurity adviser to the American Hospital Association, believes fewer hospitals are paying ransom now than a few years ago. Credit: John Riggi
Still, the severity of incursions pushed Congress to enact a measure that will eventually require disclosure of ransom payments and convinced regulators that it is time to shore up the sector. Hospitals can face several attacks a day, many from organized groups in countries where American authorities cannot easily pursue bad actors, cybersecurity experts said. Although just a fraction of attempts succeed, intrusions can disrupt operations and delay care enough to increase mortality rates, research shows.
Attacks have become so prolific that the state Department of Health wrote in a memo that it responded to more than one cyber incident a month in 2023, but wouldn't provide details.
Now, the department wants to establish cybersecurity rules for hospitals and get their governing boards involved with the issue. The federal government has also announced plans to draft digital safety standards for health providers.
The rise of ransoms
Hackers set their sights on hospitals because they’re believed to be likelier to pay ransoms if lifesaving care is at risk, experts said. They are also highly regulated and have caches of data subject to privacy regulations. The broader health industry has suffered the most expensive data breaches — costing an average of $10.93 million each — for more than a dozen consecutive years, according to a 2023 report from IBM, which looked at more than 550 organizations in various sectors that had data compromised between March 2022 and March 2023.
In ransomware attacks — which became more common in recent years — hackers get into an organization’s network and block access to the system, often by encrypting — or rendering indecipherable — the information it contains, said Dr. Jeffrey Tully, an anesthesiologist and co-director of the Center for Healthcare Cybersecurity at the University of California San Diego. The hackers then hold the material ransom until the victims send a payment, typically in cryptocurrency.
“Almost on a weekly basis, we hear about one of these incidents,” Tully said.
At least 141 hospitals were impacted by ransomware attacks in 2023, among more than 2,200 schools, governments and public institutions, according to a report from Emsisoft, an anti-malware company based in New Zealand.
The state Department of Health said it couldn’t provide data on cyberattacks because it's not always notified about incidents, but the national tally includes some facilities in New York.
Richmond University Medical Center on Staten Island had to assign nurses to monitor patients during an attack, according to news reports. Ambulances were diverted from HealthAlliance Hospital in Kingston, Margaretville Hospital in the Catskills as well as the Carthage Area Hospital and Claxton-Hepburn Medical Center upstate this fall, according to news reports. The CEO of the latter two institutions, Rich Duvall, has said his team defied ransom demands.
The digital strikes can bring dire consequences. In-hospital morbidity rates are estimated to increase more than 20% for patients who are hospitalized at the time of an attack compared with the preceding weeks, according to an analysis of intrusions between 2016 and 2021 conducted by researchers at the University of Minnesota. Outcomes may worsen because staff can't operate as efficiently, patients can't be treated as quickly and clinicians may not have access to the most precise tools, such as quality imaging technology to guide emergency care, experts said.
Operations at nearby hospitals also suffer, according to research Tully published. These facilities often see an influx of patients, so wait times and delays may rise, Tully said. People in the midst of heart attacks, strokes or other time-sensitive crises may need to travel further in ambulances and, consequently, have worse outcomes, health experts said.
Even an intrusion at a service provider can cause issues. An attack on Change Healthcare, a billing system, has prevented hospitals, clinics and pharmacies from verifying insurance information and made it difficult for them to get paid. Some patients have struggled to pay for drugs out-of-pocket.
“You don’t have to be the one hit by the missile,” said Joshua Corman, who was chief strategist of the federal Cybersecurity and Infrastructure Security Agency's COVID task force, which focused on supporting hospitals during the pandemic when ransomware attacks spiked. “You just have to be in the blast radius to take the blow,” he said.
Joshua Corman holds a heart pacemaker as an example of a medical device that might be affected by cyber hacking. He testified at a Senate hearing in Washington. Credit: US Senate
Long after normal operations have resumed, cyberattacks can leave hospitals financially reeling. Many don’t have the margins to sustain breaks in their billing, with one hospital in Spring Valley, Illinois, hospital saying a cyberattack contributed to its permanent closure, according to Corman.
Going manual
For decades, hospitals have been prepared to go on “downtime” or revert to paper records and traditional methodology when technology malfunctions, said Dr. Eugene Heslin, chief medical officer for the state Department of Health. Clinicians are equipped to do things the old-fashioned way.
But downtime operations take longer and require more staff. Getting medication sent up from the pharmacy suddenly requires a doctor to write a prescription by hand, a clerk to fax it to the pharmacy, and staff there to manually review the order for interactions with patient’s existing prescriptions, he said.
Similar challenges may exist in exchanging information with external partners like labs, imaging centers and insurers, Heslin noted.
Medical administrators may ask the state to put them on diversion — that is, have ambulances take patients to alternative hospitals. Rerouting acute patients becomes paramount if clinicians are confronted with obstacles that degrade the quality of care they can provide. For instance, diversion may make sense if staff can’t receive X-ray images digitally and zero in on areas of concern, but instead have one static image to work with, Heslin said.
Dr. Eugene Heslin, first deputy commissioner and chief medical officer for state Department of Health. Credit: New York State Department of Hea/Mike Wren
Hospitals and the state improved their ability to handle regional disruptions during the COVID-19 pandemic, Heslin said. The state started a surge-and-flex system, which moved patients to facilities best equipped to handle them, marshaled extra ambulances and directed resources where they were needed.
Now, the department wants notice within two hours of hospitals uncovering a cybersecurity incident when intruders gain unauthorized access to its information system and the incident is likely to hinder normal operations. It has drafted rules that would elevate cybersecurity measures and contingency operation plans to the desk of hospital executives for approval.
Costly countermeasures
Each hospital’s governing body would have to annually review how its cybersecurity policies are working and could be improved, informed by penetration testing, where an expert attempts to break into hospitals’ systems to pinpoint vulnerabilities.
Hospitals would need to tap a chief information security officer to spearhead their cyber strategy, including verification that software systems and third-party vendors meet minimum standards.
The measures have been already put before the public for comment and could be approved at any point. The health department estimates meeting the standards will initially cost up to $10 million per hospital depending on its size and cybersecurity system. Annual upgrades may require up to $2 million, according to the department, which said grants are available to help health systems do upgrades.
A federal agency charged with setting health policy, the U.S. Department of Health and Human Services, announced it would propose enforceable cybersecurity standards tied to the public health programs Medicare and Medicaid. This spring, HHS wants to start updating the Health Insurance Portability and Accountability Act — a rule that obligates health providers and their business partners to protect patient data.
Roadmap welcomed
The state's guidelines would give hospitals a checklist to run through for years to come when they integrate new clinical and IT advances into their operations, said Dr. Gerald Kelly, chief information officer and a physician at Stony Brook Medicine.
Dr. Gerald Kelly, chief information officer for Stony Brook Medicine. Credit: Stony Brook Medicine/Jeanne Neville
“It’s important to have a road map,” he said. “In some ways, it even helps folks communicate with their institution to make sure they’re investing in things.”
Stony Brook Medicine routinely updates cybersecurity policies, revisits contingency plans and conducts drills on operating during an emergency, Kelly said.
But training has perhaps been the top priority. Attacks are constant and bad actors can exploit something as simple as a distracted employee clicking on an attachment from an email address impersonating someone in their professional network, said Andy Hoffman, chief information security officer at the health system.
“No matter how much money, no matter how much you put out there, if you’re on the grid, if you’re on the net, you’re always going to be attacked,” Hoffman said. “We do take this very, very seriously.”
Stony Brook Medicine executives declined to say whether any attacks had been successful in recent years.
Researchers haven't found a significant difference in how sophisticated the IT systems were at hospitals breached by hackers and other hospitals, according to an analysis from University of Minnesota School academics. Facilities that suffered intrusions tended to be larger, have a higher net operating revenue and offer trauma, emergency and obstetric care services, according to a review of attacks from 2016 to 2021.
Other major hospital systems on Long Island, including Northwell Health, Catholic Health and NYU Langone declined or did not respond to interview requests. Northwell patient data was exposed in an attack on a medical transcript provider’s system, and a group administering benefits for Catholic Health employees had a breach that may have exposed emails, the health systems said. The breaches didn't impact their operations, they've said.
Broadening the scope
Many of the protocols put forward by the state are already enacted at hospitals in New York, said Thomas Hallisey, director of digital health for the Healthcare Association of New York State, a trade group for hospitals and other providers. Still, some requirements could be a bigger lift, particularly for hospitals with a tight budget, he said. Having to vet the security of third-party apps and partners would be particularly challenging, according to Hallisey.
But he believes these sorts of organizations will become directly responsible for their products' security once the federal government takes action. So he is mostly concerned that the two governments' frameworks work in tandem.
“Any duplication of effort or extra effort to meet two separate rules would be time spent with valuable resources that is no longer improving security, but meeting rules,” Hallisey said.
The state Department of Health said it is reviewing feedback on its proposal and working aggressively to establish regulations. Its team stays on top of federal policies and any related guidance from Washington will be reflected in the state's standards, DOH said.
Hospitals are concerned the federal government will make meeting its standards a condition of participating in Medicare and Medicaid, a key revenue source for most hospitals, according to Riggi, from the American Hospital Association. He said that's too harsh of a punishment.
HHS didn't directly respond to questions from Newsday.
Still, others stressed it is crucial to concentrate on raising hospital standards, specifically on lifesaving backup protocols.
“When you're already a financially distressed hospital, you can't afford to spend money on something that doesn't actually protect you,” Corman said.
On the rise
The volume of breaches involving ransomware reported to HHS increased 264% over the past five years, according to the agency's Office for Civil Rights.
Sarina Trangle covers affordability and cost of living issues and other business topics. She previously worked as an editor and reporter at amNewYork.
