Recovering from a Cybersecurity Attack and Protecting the Future in Small, Rural Health Organizations

by Tami Lichtenberg

Complex information systems such as electronic health records, patient portals, and telehealth equipment, as well as high-tech radiology like CT and MRI machines, allow rural healthcare organizations to operate more efficiently and provide a similar level of service as larger, more urban facilities. In fact, during the recent COVID public health emergency, technological solutions were key to the continuity of care in many rural communities. However, the increased use of information systems, digital medical equipment, and computer networks escalates the risk of attacks by outside threat actors seeking to shut down systems and steal data through malicious cyber-attacks.

Threat actors — individuals or groups that want to hack systems that contain electronic personal health information (e-PHI) — often lurk on the dark web and operate in the crevices of networks. They attempt to penetrate information systems, firewalls, email, or computers to create havoc, steal data, or hold providers “hostage” for a monetary ransom.

According to the U.S. Department of Health and Human Services (HHS) Office of Civil Rights (OCR) portal detailing breaches, 54 million patients were affected by data breaches in 2022. According to the HHS Cybersecurity Program, 60% of the ransomware attacks in 2020 were aimed at healthcare organizations. The introduction of the 2022 update to the MITRE publication, Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook, commissioned by the Federal Drug Administration, provides a more sobering statistic: “From mid-2020 through 2021, 82 percent of healthcare systems reported a cybersecurity incident, while 34 percent were ransomware attacks.” The publication also cautions that attacks are starting to involve supply chains and cloud-based applications as the attacks become increasingly sophisticated.

Small and rural healthcare providers, which often cannot afford the expansive information technology (IT) teams of larger facilities, are especially vulnerable. A survey of 100 hospital IT experts by cybersecurity firm CyberMDX and Philips, found that small and midsize hospitals had the most vulnerability. In addition, 48% of hospital executives shared that their organization was affected by an attack in the last six months. In fact, in June 2023, a small rural hospital in Illinois closed, and it was the first to point to a ransomware attack that left them unable to bill Medicare, Medicaid, and other payers for months as one of the major causes.

This is not just an IT problem.… Everyone must be vigilant.

Healthcare security expert Joe Wivoda, a senior director of compliance at a HIPAA compliance solutions company, emphasized that cybersecurity is everyone's issue: “This is not just an IT problem. IT must do a better job, yes, but this is an organizational issue. Everyone must be vigilant.”

However, even the most vigilant organizations are not safe from cybersecurity threats and threat actors looking to do harm.

McKenzie Health System

Steve Barnett, Chief Executive Officer of McKenzie Health System, a Critical Access Hospital (CAH) in Sandusky, Michigan, knew that he was in trouble when his information systems started shutting down. He did not know it yet, but the cyber-attack that had started the day before was an attempt to grab as much data as possible and extort the hospital system for a hefty ransom. These network breaches, known as ransomware attacks, are often launched by threat actors who may not even have a specific target in mind. Their goal is just to hold an organization's information hostage or get as much sensitive and potentially protected health information as possible.

McKenzie Health System, according to Barnett, then began the tedious task of taking all systems offline, trying to identify and block the threat, and rebuilding the network from backups. He pointed to the fact that rural providers are resilient by nature as the reason his team was able to move back to paper-based systems in the meantime and continue to provide critical services to the community: “That's the nature of rural. Our team knew how to do things differently and adapted quickly despite the mounting stress and need to get systems back online as soon as possible.”

Learn more about McKenzie Health System's experience in our Rural Emergency Preparedness and Response Toolkit.

Estes Park Health

Like Barnett, in June 2019, Gary Hall, then the Chief Information Officer of Estes Park Health in Estes Park, Colorado, also watched systems shut down before his eyes. At first, when his on-call IT person phoned him at about 1:00 a.m. and told the bleary-eyed Hall that they were having trouble with the emergency department systems, things seemed disconnected. He tried logging in from home and experienced the same difficulty that IT had reported, but the system seemed to be intact. He headed into the hospital to check the network and try to figure out what was happening. In hindsight, he said, he should have started shutting down the servers before he left the house, but cyber-attacks were fairly new to rural health at the time. “My nightmare moment was when I got into my office, logged into the location where our shared folders were held, and literally watched as the code came across the screen and the files flipped as they locked one by one.”

My nightmare moment was when I got into my office, logged into the location where our shared folders were held, and literally watched as the code came across the screen and the files flipped as they locked one by one.

Although the cyber-attack on Estes Park Health happened a little more than four years ago, Hall recounts the event in vivid detail because it is never far from his mind. The ransomware attack — one that systematically shut down their network and computers and caused them to take other systems, such as their digital phone system, offline to protect them from corruption — locked files and shut down pieces of the network, but it did not result in data or protected information leaving the organization. Nevertheless, it was a devastating event for the small CAH and its affiliate outpatient clinic, requiring an incredible amount of staff time, many months of recovery efforts, and an enormous financial outlay to restore systems and prevent another attack.

The Toll of Cyber-Attacks

Ransomware attacks like the ones that these two rural healthcare organizations experienced can be costly. A report by IBM estimated the average healthcare ransomware attack cost organizations $4.2 million and that healthcare breaches were the most expensive overall. In addition to financial losses, a provider's reputation and trust in the community is also at risk. Barnett cited McKenzie Health's clear message, transparency, and communication with the media and the community as factors that helped the facility maintain community trust. He also credits preparation, his team's resolve, and the use of a disaster recovery organization in helping them get through the cleanup and repair after the cyber-attack, some of which was still going on months later.

Early on we established an incident communication strategy to share the event in all necessary detail with the public.

Hall identified those same factors as extremely important in ensuring that community trust is maintained in the organization: “Early on we established an incident communication strategy to share the event in all necessary detail with the public. We assured them that no data was stolen and that their healthcare was still safe and secure.” He also cited the openness of the leadership and board, which were closely involved in the recovery: “We have good relationships with the two newspapers here and used social media, but not to the extent we would today. Our elected board was engaged in the community and so we used service clubs like Rotary, community forums, emails, and the board even had a table at the local farmers market to communicate with the public about the incident.”

A little over a year past their incident, Barnett estimates that out-of-pocket costs are over a quarter of a million dollars and may not be complete. Some of these costs include legal fees, forensic work by a data mining company, notifications to patients and employees, monitoring software, file exploration, and credit monitoring costs for those potentially affected by the breach. He pointed out that the level of cybersecurity insurance an organization has will decrease some of the out-of-pocket described. Barnett commented that when his insurance broker recommended cybersecurity insurance five to six years prior to the cyber-attack, he really did not know what to make of all of it, but they started small and built up the protections over time.

As these events may be subject to federal audit, McKenzie Health System will not know for some time — despite believing that they did everything possible to protect patient information — if it was enough.

While the cyber-attack at Estes Park Health is further in the past, Hall recounted how he and his IT staff spent almost 140 of the 168 hours in that first week in the facility — even opening a room in the hospital so that the IT person, who lived a distance away, could stay nearby and catch a few hours of sleep while monitoring the recovery. He estimated that it took a full year of a staff person's time to complete the recovery and protect the organization for the future. In addition, even though the Federal Bureau of Investigation (FBI) did not recommend it, the organization felt it had no choice but to pay a bitcoin ransom through their cyber insurance company to recover the network keys and unlock their systems. When the first set of keys did not unlock all the data, a second ransom was paid, which freed up additional files. Aware that the threat actors could keep “spoon-feeding” the data keys for additional ransom, Hall acknowledged that some lower-level files and information simply had to be locked away and archived instead of continuing to pay.

He lamented about what good all the money that was spent — whether it was the ransom or the costs to protect the facility from another attack — could have done if it had been used to pay for the healthcare of the community instead.

Taking Stock and Protecting for the Future

It is believed that the attack on McKenzie Health System originated offshore; however, the country and culprit remain a mystery. Although the true root of the incident may never be known, Barnett said that the recovery has proceeded unhindered and as expected. “We get an occasional request to extend the credit monitoring we gave to anyone who we suspected may have been compromised, but nothing concerning has come from it,” he added. He explained some of the enhancements that McKenzie Health System has put in place since the attack: “We have been using software that does a much better job looking at incoming email traffic and we've implemented EDR (endpoint detection and response) software running on all endpoints. EDR quarantines anything suspicious for further evaluation and kills all malicious code.” However, he cautioned that organizations need to be careful not to tighten incoming emails to a point where appropriate emails are not coming through, and it can be challenging to find that sweet spot.

After working with local police forensics and the FBI, Hall said that the attack on Estes Park Health, fortunately, was a low-level attack that could be tracked back to access to Estes Park Health remote desktop servers via the hacking of some contractors' passwords. At the time, Estes Park Health did not have multi-factor authentication. He explained once the threat actors had access, they moved in what is referred to as an “East-West” pattern gaining access to other servers and applications down the line.

Hall also described the measures put in place after the ransomware attack at Estes Park Health. Having caught the culprits in what he describes as mid-stream, some of the damage was minimized by having systems backed up to the cloud. Now, he explained there are “protections upon protections. It's a wearying job. We have an IT staff that are on call, I am permanently on call, but you cannot physically watch everything all the time. So we have two different firms that monitor our systems continually — one that audits our data logs looking for anomalies and sending us alerts and the other that can quarantine and or shut down a system if it deems it necessary.”

Hall said that the monitoring gives him great comfort, but that he will never be 100% satisfied and that organizations cannot rest. He explained that Estes Park Health is continually probing the nooks and crannies of their system, checking outside the network, and looking for holes: “It's about how safe you want to be.”

This vigilance even protected the organization when their timekeeping vendor was hit by a cyber-attack of its own in 2021. Estes Park Health was able to isolate and protect their timecard system and move to a manual time recording process until the threat was over.

The Human Element

Wivoda explained that while organizations may focus on firewalling and penetration testing, phishing and ransomware attacks are the most pervasive. He said that by far the biggest threat is the human element: social engineering. Social engineering, in terms of information security, is the use of deception to manipulate individuals into exposing protected information in order to use it for fraudulent purposes. Attacks that use social engineering rely on naivety and human error.

While healthcare providers are continually building stronger firewalls and looking for intrusions in their systems, he pointed out that healthcare organizations have hundreds if not thousands of emails that threat actors are continuously sending as phishing attempts.

Hall and Barnett agree. “We train our staff that they are all IT security staff and help protect our facility from attacks,” said Hall, “but we also have scanning software that is anticipatory. If someone clicks on something bad, it analyzes it so we can proactively act upon it.” Barnett recommended reviewing the “soft stuff” and continually educating staff on determining whether an email is real or a phishing attempt. He encourages teaching people to focus, stop, and think, “Would that person really ask me to do that?” before responding to suspicious emails. He also suggests “looking at educational opportunities, going to sessions at conferences, and finding out what you need to be paying attention to. Don't wait until it happens to you.”

Annual Security and Privacy Risk Analysis

One tool that can help rural health organizations identify potential gaps in their protection of e-PHI or vulnerabilities in their networks is the HIPAA Security Risk Assessment, required for covered entities with PHI by the HIPAA Security Rule (45 CFR § 164.308). Wivoda cautioned that too many organizations simply check the box showing that the risk assessment was completed and do not use it the way they should. “Organizations should ask themselves when was their last one. So many even should be driving your security risk analysis (SRA),” he explained. “It is so much more than penetration testing and the incident response team. It is understanding where the threats are coming from and attacking and keeping systems and training up to date to prevent phishing attacks.” Wivoda recommended updating your HIPAA Security Risk Analysis both periodically and any time there are significant changes to the system. In fact, guidance on the HIPAA Security Risk Assessment from HHS says that the risk assessment should be a continual process and, although it must contain the components outlined, it leaves the design of the assessment up to the facility.

Hall pointed to his annual HIPAA Security Risk Assessment Report as a place to document all of the improvements to his systems as well as new threats and increased protections.

Shared Learning from Cybersecurity Incidents

While healthcare organizations and their leaders are often reluctant to speak about their experience and share their cybersecurity incidents with one another beyond what is required, Barnett said that sharing what happened, how it happened, and what is being done about it in various forums is instrumental to creating awareness and combatting threat actors: “The interviews I have done with you are one step. Sharing that information with the National Rural Health Association (NRHA) through a policy paper and speaking about the problem in other forums also increases awareness.” He is part of an NRHA rural hospital contingent reviewing a cybersecurity policy paper under development by NRHA Fellows to share information and assist other rural health organizations in avoiding their own attacks. Hall concurred, “Sharing is a good thing. Organizations want to cloak what happened, which is the opposite of what they should be doing. That is how the attackers can continue to do what they do.”

Sharing is a good thing. Organizations want to cloak what happened, which is the opposite of what they should be doing. That is how the attackers can continue to do what they do.

Hall spoke to the fact that, like the “COVID-19 of IT,” he is always getting alerts about new threats known as “Zero Day” threats — an attack that no one has seen before: “We may have the tools to combat it, but we don't know yet.”

Barnett cautioned that what McKenzie Health System and Estes Park Health experienced could happen to anyone and no organization is immune: “If you are operating in an electronic environment, as most healthcare providers are, it is not if you will suffer a cyber-attack, it is when you will become a victim, and so organizations should make sure they are educating, communicating, and preparing for disaster recovery. They [threat actors] are going to get in.”