Hospital Closure After Cyberattack Sends Warning Shot to Healthcare Sector
By First Health Advisory
Low-resourced hospitals face devasting financial and patient safety impacts from cyberattacks, but many lack the needed financial and staffing resources to effectively defend themselves. A story circling mainstream media spotlights these critical issues facing the healthcare sector and, more specifically, rural hospitals.
St. Margaret’s Health has officially closed its Peru, Illinois hospital as its leadership could not “find nor financially support” a new provider for its emergency room department. In January, SC Media was the first to report that the hospital was temporarily suspending operations, citing a 2021 ransomware attack and COVID-19 impacts as the driving factors behind the decision.
A cyberattack struck the Spring Valley branch on Feb. 22, 2021, bringing on a complete network shutdown, including all web-based operating systems, email, and the patient portal, which lasted for several weeks. While patient care continued during the downtime, the hospital was forced to divert diagnostic imaging procedures to another hospital branch to ensure the accuracy of scans.
A January letter to employees noted that these outages contributed to the hospital’s ongoing financial constraints. The hospital was unable to “bill nor get paid, in a timely manner, for the services provided during the outage, while facing staffing shortages that required the use of “temporary agencies to fill positions at a significantly higher pay rate.”
The hospital has also struggled to “attract enough staff to continue to operate both hospitals,” the health system CEO and board chair wrote, at the time. “And, like you, we have been faced with rising costs for goods… “This all came at great financial cost. It’s obvious to the Board and Administration that action is needed now.”
The compounding factors forced the hospital to shut down ER physician coverage at its SMH-Peru branch on Jan. 28 as hospitals, as hospitals are cannot legally operate without a fully staffed emergency room. Hospital leadership said they were continuing to try converting the Peru branch to a Rural Emergency Hospital (REH)
But the attempts failed, and the hospital will shut down indefinitely, pending a reported sale.
“The patient safety implications of cyberattacks in healthcare are front and center, however, the financial impacts are very real and continue to grow in concern for all sized health systems,” said Carter Groome, First Health Advisory CEO. “I’m worried we’ll see more of these closures, if our ability to manage threats and minimize business impact does not improve as a sector.”
Hospital Closure Marks Industry First, but Certainly Not the Last
The St. Margaret’s closure is a worst-case scenario that stakeholders have long warned could occur when constrained budgets meet staggering recovery costs and lost revenue brought on in the aftermath of a cyberattack.
The hospital is the first to close its doors after a cyberattack. However, two other healthcare entities reported closures due to ransomware in 2019: Brookside ENT and Hearing Center in Michigan and California-based Wood Ranch Medical. The separate entities permanently closed after hackers encrypted and either damaged or deleted the data.
The shutdowns were deemed more cost-effective than the financial impacts of paying the ransom or the costs to rebuild. Data estimates that ransomware can cost an average of $1 million per day of downtime, due to lost revenue, care disruptions, and recovery costs. The outages at Universal Health Services and Vermont Health, for example, lasted about one month and cost $67 million and $63 million, respectively.
According to the July 2022 IBM Cost of a Data Breach, breaches are the costliest in healthcare, at an average of $10 million each. These costs are tied to recovery, lost revenue, and the highly regulated nature of the sector overall.
Indeed, the updated Department of Health and Human Services 405(d) Hospital Cyber Resiliency Landscape Analysis details the current state of financial distress facing the overall healthcare sector, tied, in part, to global pandemic impacts.
These resource constraints are further compounded by deep variations in cybersecurity resiliency among hospitals. The analysis noted that smaller hospital cybersecurity professionals, for example, reported their “knowledge of resiliency coverage was limited,” as well as a “minimal ability to stay current on threats” and “slim to negative financial margins inhibited cybersecurity investments.”
But even larger hospitals are struggling to meet mature cybersecurity controls. The analysis showed a 166% range of investment between lowest normalized cybersecurity investment of 0.07% to the highest of 0.75% of revenue.
“Many of the hospitals expressed a need for more benchmarking data and consumable, actionable intelligence information, but cost and poor awareness of existing resources is a strong deterrent,” according to the report.
But while hospitals struggle to find their footing, ransomware attacks continue to evolve and more readily rely on extortion tactics for financial gain. Threat actors merely need to take the path of least resistance when looking to inflict the biggest blow.
Alongside the updated analysis, HHS issued an update to its five-volume Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP). The framework is directed to healthcare providers, broken down by size and maturity model. But with any cyber program, an effective risk assessment is crucial to informing any major enterprise cybersecurity changes.
