Cyberattack contributes to a hospital's closure.
By Rachel Gelfand, CyberWire staff writer
Jun 13, 2023

An Illinois hospital has blamed its closure on a ransomware attack; making them the first healthcare facility to do so under cyberattack-induced financial pressure, ever.

Cyberattack contributes to a hospital's closure.

St. Margaret’s Health in Spring Valley, Illinois is shuttering its operations, which they have blamed in large part on the fallout of a ransomware attack on their systems, NBC News reports

A 2021 ransomware attack kept the hospital under pressure.

Becker’s Hospital Review writes that the hospital’s coming June 16th closure follows a 2021 ransomware attack that rendered St. Margaret’s unable to submit claims to payers. Not only did the claim information not get submitted, but the systems were down for at least 14 weeks and required months of catch-up and recovery. The financial pressure this induced wound up being a factor in its closure, said vice president of quality and community services at the hospital, Linda Burt. The health system also ended operations at a Peru, Illinois-based facility in January.

While ransomware found a home in the hospital systems, other underlying issues surfaced.

CNN reports that other factors played a part in the decision to close the facility, primarily financial in nature, with staffing costs following the coronavirus pandemic and issues with supply chain and inflation credited as other reasons for the closure. A St. Margaret’s switchboard operator called the closure disheartening, noting connections with the primarily older patient base that will now have to find care elsewhere.

Experts weigh in on the incident.

Steve Gwizdala, Vice President of Healthcare at ForgeRock, notes the attractiveness to malicious actors of the healthcare industry, and recommends enhanced vigilance:

“News of St. Margaret’s Health linking its closure to a ransomware attack - and being the first healthcare facility to do so - is unfortunate yet not surprising. Healthcare continues to be one of the most attractive targets for cyberattackers, and the number of breaches affecting the industry is increasing each year.” 

“Vigilance and new ways of enhancing cybersecurity measures will be crucial to healthcare organizations and businesses responsible for protecting the personal information of consumers stored online – across the entire supply chain. The traditional password and username approach is no longer enough to properly protect such valuable information and keep healthcare organizations in business. Implementing multi-factor authentication (MFA), passwordless authentication, and zero-trust architecture ensures users experience a high level of security while mitigating risk and reducing opportunities for malicious actors to capture patient medical records.”

Erich Kron, security awareness advocate at KnowBe4 notes the strain caused by the aftermath of the attack, rather than the attack itself:

“It's important to note that the ransomware attack, while significant, is not the only thing leading the organization to close its doors. Unfortunately, while these attacks are not often the primary reason for an organization to shut down, the significant additional stress and financial impact caused by one of these attacks can be a major factor. This is an important thing to understand as in many organizations when finances become lean, it's very tempting to reduce budget for things like cybersecurity. Many organizations have suffered the effects of ignoring cybersecurity in favor of the bottom line, only to find out it was a poor decision.

 “For organizations that are struggling financially, it is important that they are very intentional about where they spend their cyber budget. Many organizations spend a considerable amount on advanced technical products while ignoring or minimizing efforts to reduce the things that cause most data breaches and malware infections, such as email phishing attacks. While technical controls are certainly required, ensuring that employees are educated and trained on how to spot and report potential social engineering attacks quickly can be one of the most cost-effective ways to reduce the risk of a breach, however many organizations put little effort into this critical defense.”

Dror Liwer, co-founder of cybersecurity company Coro highlights the stronger impact that these attacks have on smaller businesses:

“This heartbreaking news is an example of the devastating impact a cyberattack has on smaller organizations that don’t have the large budgets and experienced teams the Fortune 500 have. As attackers shift their aim to mid-market and small businesses because of how vulnerable they are, we are seeing the creation of a cyber divide - those that can sustain an attack because they have the tools, teams, lawyers, and insurance, and those that shutter their doors as a result of an attack.” 

(Added, 1:00 PM ET, June 13th, 2023. VP of RiskLens James Graham noted how this news should affect risk management in the healthcare sector: "With healthcare being such a vulnerable industry when it comes to cybersecurity risk, news like this is an unfortunate reality. All healthcare organizations should perform quantitative cyber risk assessments to plan defenses that are both cost-effective and realistic about the level of loss exposure the organization could face.”

David Anderson, CISO at Ensemble Health Partners, commented on what he considers a "sad milestone." He wrote, "Health systems need to prioritize ransomware as one of their greatest threats. This attack and the closure of this facility will result in longer trips to the ER and for other needed care which could lead to poor outcomes for patients that need help. The local economy will take a hit due to lost jobs at the hospital and reduced income for businesses that supported it. Attacks of this type are devastating because they slow down or completely stop not only patient care, but the entire care workflow. All of our efforts to make care easier, safer, and as seamless as possible can be erased in an instant.")

(Added, 10:45 PM ET, June 13th, 2023. Jon Miller, CEO and Co-Founder of Halcyon, commented at length on the peculiar vulnerability of healthcare organizations to cyberattack:

“The demise of St. Margaret's Health due to its inability to process payments following a disruptive ransomware attack demonstrates how fragile our healthcare system is. Unfortunately, given that healthcare providers continue to be a favorite target of some of the most notorious ransomware operators, we are likely to see more regional healthcare providers suffer the same fate. 

"There is no way to argue against the fact that ransomware attacks on healthcare providers pose a significant threat to human life. 

"While many perceive the healthcare industry to be well funded and stable, that is a huge misconception. The reality is despite the fact that some doctors and specialists may make a good living, the healthcare system in our nation is largely operated by non-profit entities that work on shoestring margins. 

"Criminal ransomware groups know that the impact of an attack against healthcare organizations does not just disrupt everyday business; it directly affects the lives of their patients. Furthermore, these organizations typically lack the appropriate budgets and staff to maintain a reasonable security posture, making them easy targets.

 "The average time it takes for an organization to recover from a ransomware attack has been pegged at about three weeks or more, according to multiple studies. However, in this case the attack occurred over three years ago. While a private, profitable organization with ample resources may be able to weather such a lengthy disruption to operations, the healthcare game is one of immediacy - patients are different than customers, and in most cases, they cannot afford delays in treatment without putting their health or lives at risk.”)

(Added, 10:00 PM ET, June 14th, 2023. Amit Patel, SVP at Cyware, added some thoughts on the particular exposure of smaller healthcare organizations to this kind of risk. “This is a stark reminder of the worst-case scenario for a small healthcare organization. Without enough resources to invest in robust security, updated systems, and having a clear recovery plan, these important local healthcare resources can easily be put out of business, directly impacting their patients," Patel wrote. “This is an industry-wide problem, yet we keep expecting our weakest links to defend themselves. We have to invest in systems to share intelligence, security best practices, and critical alerts across the industry quickly, reliably, and automatically.”)