PROVIDENCE, R.I. (WPRI) — When hackers breach a hospital network, the effects can be catastrophic: emergency rooms shut down, ambulances are diverted, and patients’ medical data is exposed.
The attacks don’t always play out that way, but they happen at some level nearly all of the time. The U.S. Department of Health and Human Services reports 66% of health care organizations were hit by ransomware attacks in 2021, and Lifespan CEO John Fernandez said protecting against that threat is a nonstop effort.
“You almost don’t want to know, but you’re getting attacked on almost a daily basis,” said Fernandez, who was recently hired to lead the state’s largest hospital system.
“It’s an ongoing expense, an ongoing effort, vigilance, testing staff, so they don’t click on the link somebody is sending you in hacking emails,” he added last month on Newsmakers. “It’s just a brutal effort every day.”
On the dark web, medical records are worth more than a social security number, credit card, and driver’s license combined, according to federal officials. For example, they estimate a social security number can be sold for $1 each. Medical records can go for anywhere between $250 to $1,000.
That’s why Johnson and Wales chief information security officer professor Nick Tella said hospitals are one of the top three industries hackers target, explaining there’s a lot they can do with people’s medical information.
“Create medical cards, health insurance cards, there’s more value in that,” he told Target 12. “There’s millions of dollars in losses associated with fraudulent medical cards.”
The cyberattacks can also have damaging effects on an entire health care system.
This summer a cyberattack caused emergency rooms to be shut down at medical centers run by Prospect Medical Holdings across several states, impacting CharterCare’s Roger Williams Medical Center and Fatima Hospital in Rhode Island.
Tella said the breach is an example of how hackers are adapting by targeting smaller hospital groups compared to larger ones.
“Smaller hospitals that don’t have the resources, don’t have the infrastructure in place,” Tella said. “Whether it’s from network security, hardware and software or it is spending money to train your staff.”
Another example of a recent attack with damaging effects was the 2021 hack of radiology vendor Elekta, which left dozens of cancer patients without appointments at Rhode Island Hospital, The Lifespan Cancer Institute in East Greenwich, and Southcoast Health’s Cancer Centers in Fall River and Fairhaven.
Tella said most of these cyberattacks happen because an employee falls victim to “phishing,” which happens when a hacker sends fake emails that look real to get sensitive information.
He said that’s why humans are often the weakest link in any cybersecurity network.
“You can spend millions of dollars on software and hardware to protect your system, but all you need is someone to click on an email that offers something for free or a coupon, or they think it’s legit and they click on it and that’s how the malware gets spread,” Tella said.
But not all data breaches are the result of cyberattacks. Sometimes emails with patient data are sent to the wrong person, or paper files go missing. For example, a laptop was stolen out of a Lifespan employee’s car in 2017, putting into jeopardy roughly 20,000 patients’ medical information.
Tella said while there was no evidence found to suggest medical records were accessed in that breach, Lifespan still had to pay a major fine to the federal government.
“They had to report it, they did the right thing, but they were still fined over $1 million because the requirement is encryption and they didn’t encrypt the laptop,” Tella said.
Federal data reviewed by Target 12 shows there have been 17 reported health care-related breaches involving Rhode Island-based organizations in the past five years, affecting more than 80,500 people.
The organizations included CVS, The Miriam Hospital and the R.I. Public Transit Authority.
The data also reveals a noticeable shift in how data is being breached.
For example, between 2018 and September 2021, hacking and IT incidents only accounted for 11.1% of breaches in Rhode Island. In the time since then, hacking and IT incidents totaled 85.7% of breaches.
Tella said the challenge many organizations face is they don’t invest enough in their networks and training their staff, and that often leads to them being reactive instead of proactive.
“It’s always after the fact: ‘Oh Jesus, how did this happen? How do we prevent it?’ But now literally the horse left the barn,” Tella said.
He said while companies would have to pay at least $30,000 in upfront costs, that amount pales in comparison to the cost of a data breach after the fact.
“If you have a data breach, never mind being put out of business, if you’re able to get back online you’re talking about $100 million,” Tella said. “It’s just a matter of them realizing what needs to be done and, more often than not, it’s reactionary.”