Capital Region Medical Center broke its silence Wednesday on an incident that left its network and phone systems down over the past six days.
CRMC discovered a disruption early Friday morning to its network systems. It disabled its network as a security measure and initiated an investigation into the incident. Investigators determined the breach was because of a cybersecurity incident.
“While our information security team is working diligently to bring our systems back online as quickly, and securely, as possible, nothing is more important to us than the health and safety of our patients and continuing to provide the care our patients expect,” Lindsay Huhman, CRMC director of marketing and communications, said in a news release. “There are downtime procedures in place for physicians, nurses and staff to provide care in these types of situations, and our staff is committed to doing everything they can to mitigate disruption and provide uninterrupted care to our patients.”
Downtime procedures, Huhman said, are policies put in place to continue safely caring for patients should a partial or catastrophic network failure occur. However, she said, “Each patient’s case is being evaluated on an individual basis to provide the best care possible.”
The American Hospital Association has conducted research on cyberattacks and ransomware attacks on hospitals. In “Ransomware Attacks on Hospitals have Changed,” the AHA reported the attacks may cause threat-to-life incidents within hospitals. They threaten a hospital’s ability to provide care, which puts patients at risk, the report’s executive summary says.
Early during the COVID-19 pandemic, cyber criminals used the pandemic as an opportunity to exploit, victimize, and profit through phishing emails and other cyberattacks on hospitals.
Laws are in place to discourage such attacks. Prosecutors may use federal statutes covering racketeering and corrupt organizations, money laundering, commercial extortion, homicide and even terrorism to charge people accused in cyberattacks.
“These additional crimes carry far more serious penalties that are more consistent with the threat-to-life element presented by disruptive cyberattacks against hospitals,” the report says.
Federal laws allow the Treasury Department to put financial sanctions on foreign entities that conduct cyberattacks.
“Hospital leaders can take a more direct role in strengthening the sector’s cyber defenses by participating in and promoting public-private partnerships and other collaborative efforts,” the report states. “Threat information sharing and other joint efforts can decrease the likelihood of successful attacks and help organizations recover and resume operations more quickly. Both of those outcomes decrease the financial incentive to carry out ransomware attacks. The AHA, the Healthcare-Information Sharing and Analysis Center and the HHS-sponsored Health Care Industry Cyber Security Task Force have separately urged more public-private partnerships to improve cyber security in a ‘whole of nation’ approach to defend against cyber threats.”
All organizations in health care face the same threats and the same potential consequences from cyberattacks, the report states. So all have the same incentive to exchange threat information freely.
Another AHA report, “The Growing Threat of Ransomware Attacks on Hospitals,” pointed out one in three health care organizations globally reported being attacked by ransomware during 2020.
“The extent and impact of a successful attack can be huge,” it said. “More than 600 U.S. health care organizations and more than 18 million patient records were affected in 2020 alone at an estimated cost of nearly $21 billion.
“When Universal Health — a major hospital chain operating in several states — was attacked last fall, it had to relocate surgical patients and divert ambulances to other hospitals.”
It is unclear if patients’ personal information was breached during Friday’s attack. Huhman said if investigators find personal or health information was involved in the incident, the hospital will “notify those individuals in accordance with applicable laws.”