At 12:08 p.m. on a Monday, a Sky Lakes Medical Center employee tapped an email link.
Within minutes, that click cracked open the Oregon hospital’s digital infrastructure for cybercriminals to infiltrate. By the time IT staff started looking into it, “everything was being encrypted,” said John Gaede, director of information services. On a note discovered in a server, the attackers announced the 100-bed Klamath Falls hospital had been hit with ransomware.
“None of us have ever experienced anything like this,” Gaede said. The ramifications were sweeping. Sky Lakes serves a 10,000-square-mile area in rural southern Oregon; the next closest hospital is 72 miles to the west, 140 miles to the north, 100 miles to the east or 100 miles south. In other words, Gaede said, “We are the sole provider of care.”
And at the time of the attack, October 2020, the hospital was battling its first local surge of Covid-19. Hospital officials quickly decided on the most extreme counter-response: powering down about 2,500 devices and more than 600 servers, Gaede said. “Anything that had a computer in it, we shut it off.” For the next 23 days, clinicians and nurses used pen and paper for note-taking, struggling to care for patients without access to their medical histories, lab results and imaging scans, appointment calendars, or emergency contacts. Cancer patients faced a choice between driving an hour or more for radiation elsewhere, or holding off on treatment until Sky Lakes recovered.
The “nuclear option” for interhospital communication – a network of copper wire fax lines — ended with one machine breaking down in smoke from overuse. It was faster, staff found, to simply hand-deliver lab results.
“We were woefully unprepared,” Gaede said. “You don’t think you’re going to come to work one day and get hit by ransomware — and then it happens and you’re staring reality in the face.”
The reality of being locked up by ransomware is no longer a concern reserved solely for major health systems, once a primary target. Regional hospitals and specialty clinics are now also constantly warding off, and falling prey to, malicious cyberattacks as ransomware groups grow more opportunistic than ever. Federal databases detail a number of small providers — from pediatrics clinics to hearing centers, chiropractors and child abuse prevention non-profits — caught up in the sweep of attacks targeting the health care system.
Last September, for example, a ransomware attack shut down all the phone, computer and email systems at non-profit Coos County Family Health Services, the main health provider in New Hampshire’s Androscoggin Valley that serves about 15,000 patients on a sliding scale fee. In February of 2021, Rehoboth McKinley Christian Health Care Services — a rural not-for-profit on the edge of the Navajo Nation in New Mexico — was also ground to a halt by ransomware.
Such an attack can be devastating for a health system of any size and scary for anyone relying on its care. But for smaller hospitals and practices, the costs — both to patients and to the bottom line — can be especially steep. Experts say that small, rural providers are also less likely to be prepared to defend, resolve and recover from a ransomware attack than their larger, urban counterparts.
“There was a commonly held belief that ‘Who would want to target us?’”said Lee Kim, a senior cybersecurity and privacy principle at the Healthcare Information and Management Systems Society.. “That was probably true some years ago when ransomware was first starting up.” But today, she said, the size of an organization doesn’t really matter anymore. “Everyone is a target,” she said. “We can no longer rely on faith that rural providers won’t be in the cross hairs.”
Joe Wivoda said he has heard from a growing number of participants in the IT and cyber workshops he leads for the National Rural Health Resource Center that they’ve suffered attacks significant enough to force them into pen-and-paper operations for a day or more — a reality he described as “pretty scary.” “In the last year, it’s become a crisis,” Wivoda said. “It’s as if rural is being targeted now.”
Experts have warned for years of the U.S. health care system’s underinvestment in cybersecurity. Progress has been sluggish, even as threats have mounted.
In 2021, according to one survey, the industry set aside about 6% or less of its IT budgets on cybersecurity — with two out of every five respondents reporting their cybersecurity budget remained the same or shrank last year. At the same time, 73% reported they rely on legacy operating systems like Windows 2008; only about half said they’ve implemented a comprehensive network monitoring tool or intrusion detection and prevention system.
Research shows that small- and medium-sized providers are even less likely to have the resources to adequately invest in sufficient and secure IT. The federal health department has also flagged small organizations as generally lacking dedicated IT protections.
“It’s astounding, the amount of IT that exists in a hospital,” said John Riggi, the American Hospital Association’s senior advisor for cybersecurity and risk. “It’s a high-pressure IT job and you’re oftentimes all alone.”
For attackers, those vulnerabilities might make small providers a valuable testing ground to try out novel exploits ultimately aimed at larger systems, Kim said. “They might be trying to see how far they can go.”
If a rural provider is near a military base or a major tech hub, it might also offer a window for stealing non-civilian or high-profile patient information, she said. For some attackers, the goal is simply to disrupt valuable care and cause panic. Malware attacks typically do just that, be it a network shutdown, a freeze on new admissions, or a scramble to continue seeing and treating patients without access to electronic health records, appointment systems, or even internal phone services. That can have cascading impacts. The Cybersecurity and Infrastructure Security Agency released research last September linking ransomware attacks with hospital strain, worse health outcomes, and increased mortality.
During lockdowns, patients needing non-emergency care are forced to wait days or weeks for the system to recover — or to travel to the next-closest ER if they need urgent medical treatment. Those consequences can be especially dire for small and rural providers, experts say.
During a 2019 ransomware attack that shut down more than 1,500 computers and servers, Campbell County Health in rural Wyoming canceled surgeries, stopped accepting new patients, and sent others more than 125 miles away to other area hospitals for treatment. “Sometimes they are truly the only game in town,” Kim said. “There aren’t alternatives nearby. It could be a 3-hour drive ahead of them.”
Underserved providers may also get hit harder by the extreme costs incurred by ransomware events, given the long-term financial strains on rural providers from low patient volume, workforce shortages and budget cuts.
It took Campbell County Health months to fully recover its IT infrastructure; the final cost was estimated to be upward of $1.5 million.
Those who choose to pay ransom in order to unfreeze their networks might be forking over hundreds of thousands of dollars. According to federal health officials, the industry’s average ransom payment was more than $322,000 by the end of 2021. Wivoda says he knows of rural hospitals paying quarter-million-dollar ransoms. “And these are small organizations. They can’t afford that,” he said. “It’s not like they need any more financial troubles.”
Even though Sky Lakes did not end up paying a ransom, the attack incurred an estimated $10 million impact on the hospital, which was unable to bill for services for months and essentially replaced its entire fleet of computers in the aftermath. For a smaller provider like Sky Lakes ransomware eats up precious and limited budgets — on top of the ongoing cost of trying to prevent the next attack from happening. “How do we keep up?” Gaede said, “when we really need a new MRI machine or new carpet or we have to pay our nurses more.”
It can also be a huge blow to their most valuable asset — patient trust — which has suffered from a number of Covid-19-related impacts including closed labor and delivery units, limited in-person visitation, and overflowing emergency rooms. In recent years, it’s also come under scrutiny for being so tight-lipped about cyber attacks. “I don’t think the industry’s been near enough transparent about it,” Gaede said. “This should be front and center. It’s the right thing to do.”
“That kind of pressure really is a wake-up call for many organizations,” said Kim. “It can make or break an organization.”
And research suggests that after a breach, patients will look to shift their care to a new provider. “If they have that opportunity, they will,” said Eric Johnson, a health IT researcher at Vanderbilt University and dean of its Owen Graduate School of Management. But in a rural area, he said, patients don’t have the luxury of exercising that consumer choice. “If their hospital is hacked, they just have to wait,” to get back up and running, he said.
In that sense, it’s just one more barrier to care for rural patients and their providers, who already must contend with a number of health disparities.
“You might think you’re kind of off-the-grid, but that doesn’t mean you’re not susceptible.”
Eric Johnson, Vanderbilt University
“You might think you’re kind of off-the-grid, but that doesn’t mean you’re not susceptible,” Johnson said.
That’s especially true in the face of mounting attacks on hospitals, 9-1-1 call centers and other critical infrastructure. “Nothing is off limits,” Bryan Vorndran, assistant director of the FBI’s cyber division, told lawmakers late last month.
Those threats are real for providers of all sizes. But for smaller ones, who see larger organizations with entire teams dedicated to cyber, the odds can feel stacked against them.
“They have this sense of lack of control,” Wivoda said. “They have this fear of not being prepared and not sure how to prepare. It’s something they don’t feel they’re ready for.”
And even if a hospital recovers fully from an attack — as Sky Lakes did seven months after the fact — the battle against cybercriminals and for patients continues, unrelentingly.
“They were gracious to us the first time around,” Gaede said. “If we get hit again, we’ll lose that trust.”