Cybersecurity in Healthcare: A Call to Action for All

As a family physician and information technology executive, I’ve seen firsthand the critical role that healthcare systems play in our communities. Yet, in an era where technology intertwines with every aspect of our lives, we face a growing threat that is often overlooked: cybersecurity. This threat became deeply personal to me, having completed my residency at Sky Lakes Medical Center in Oregon, a facility that fell victim to a severe cyberattack. The consequences of such attacks underscore the urgent need for everyone in healthcare to understand and prioritize cybersecurity.

Why Hackers Target Healthcare Data

Healthcare data is a goldmine for hackers. It contains sensitive information, from personal identification to detailed medical histories. Such data can be exploited for identity theft, insurance fraud, and other malicious activities. Hackers are motivated by the high value of this data on the black market and the often inadequate cybersecurity measures in place within healthcare organizations, especially in rural areas.

The Sky Lakes Medical Center Incident

On October 26, 2020, Sky Lakes Medical Center, a lifeline for about 100,000 people in central Oregon, was attacked by ransomware. This incident wasn't just a technical disruption; it was a community crisis. The ransomware encrypted critical systems, rendering the hospital's operations paralyzed. Backup systems failed, and the attack forced the transfer of patients, many in critical condition, to distant facilities. The hospital was inoperable for over 23 days, with some systems taking months to fully restore.

John Gaede, the Director of Information Services at Sky Lakes, recounted the suddenness of the attack and the devastating impact on hospital operations. The ransomware spread swiftly, and the hospital had to disconnect from other medical facilities to prevent further spread. The attack originated from a phishing email, a common tactic that exploits human error to breach systems.

The Initial Response

Immediately following the attack, Sky Lakes Medical Center issued a statement to the Klamath Falls community:

"To our Sky Lakes community- Earlier today, Sky Lakes Medical Center was the victim of a ransomware attack. Our computer systems have been compromised; as of right now we have no evidence that patient information has been compromised. However, communications with the medical center will be a little complicated until we can get our systems operating again. Our entire Sky Lakes team is working to counter this attack, and we will keep you updated on the ongoing details of our efforts to return business back to normal. Emergency and Urgent care remain available. Many scheduled procedures will go on as scheduled, however, if you have questions please contact the hospital or your provider. Please note, current filled prescriptions will still be available at Sky Lakes pharmacies. Please be patient. We are working to ensure all medical needs are taken care of during this time. Sky Lakes is open and, as always, Sky Lakes is safe and is here to care for you."

The next day, Sky Lakes Medical Center released another update, announcing that they had identified and addressed the incident:

"On October 27, 2020, Sky Lakes discovered that several computer systems were encrypted with ransomware. Sky Lakes immediately began to investigate, a cybersecurity firm was engaged, and steps were taken to address the incident and restore operations. Based on its investigation, Sky Lakes found no evidence that any patient information has been accessed or acquired by an unauthorized person and, to date, all Sky Lake facilities are operational. However, during the course of our investigation, we have learned that a limited number of historical medical images belonging to Sky Lakes patients cannot yet be restored. Sky Lakes has no indication that any information was actually viewed by the unauthorized person, or that it has been misused. Moreover, given the age of the images, Sky Lakes anticipates no negative impact on patient care. Nevertheless, out of an abundance of caution, Sky Lakes wanted to notify its patients of this incident and share that a limited amount of patient information may be unrecoverable as a result of this incident. At this time, Sky Lakes does not recommend any action on the part of our patients. Individual patients will be notified if it is determined that any of their images are permanently unrecoverable. To help prevent a similar incident from occurring in the future, Sky Lakes has implemented additional safeguards and technical security measures to further enhance the security of our network."

Overcoming the Attack

The ransomware attack at Sky Lakes Medical Center was orchestrated by Ryuk ransomware threat actors, a group known for its ability to evade detection and adapt its methods. This forced the hospital to shut down all online services, including 2,500 PCs and 600 servers, and put its Electronic Health Record (EHR) platform in downtime mode. Despite having downtime processes in place, the hospital staff quickly found that real-life complexities outstripped their planned scenarios.

"We had downtime processes that worked very well for the first 24-48 hours," says John Gaede. "And then they all broke down. We had to invent a lot of what we did in the moment."

Located in Klamath Falls, near the California border, Sky Lakes Medical Center is nestled alongside Klamath Lake, surrounded by forests in a high desert region. The attack not only disrupted hospital operations but also shook the tranquil community it served. The ransomware infiltrated the system through a seemingly innocuous email that led to a Google Drive link, which an employee clicked on, unleashing the attack.

By 11 p.m. on the day of the attack, encryption efforts had begun on Windows-based systems, and by 3:30 a.m., Gaede received the call alerting him to the ransomware attack. The hospital's Vocera communications platform was soon encrypted, leaving no choice but to shut everything down.

Shutting down the hospital's systems was a terrifying and unprecedented step. The 176-bed hospital had to go offline immediately, halting clinical care services and disrupting the lives of roughly 120,000 people in the area. The attack affected even maintenance and environmental services.

Gaede and his team quickly reached out for help. Cisco Talos and Kivu Consulting were instrumental in the recovery efforts, helping to rebuild the hospital’s network from the ground up. This laborious process involved cleaning backups, validating system integrity, and restoring functionality step by step.

Recovery Efforts

The attack against Sky Lakes Medical Center was part of a larger wave of ransomware attacks in October 2020 that targeted at least a dozen US hospitals and healthcare providers. Ryuk ransomware threat actors, notorious for their evolving attack methods, were behind the Sky Lakes incident.

Sky Lakes Medical Network Systems Analyst Sam Stewart provided a first-hand account of the incident and the recovery process. Stewart explained that the attack began when an employee opened an email and clicked on a link to Google Drive, downloading a file they thought was related to a company bonus. The PC “blipped,” leading the employee to restart the computer. The incident was not reported to the security department, delaying the response.

By the time the after-hours support team discovered the issue, the ransomware had already begun encrypting systems. The entire organization was forced into full EHR downtime mode, with all business and clinical applications offline. Stewart’s team contacted Sky Lakes Medical’s insurance company, Cisco Talos, and Kivu Consulting for assistance.

The recovery process involved shutting down all 2,500 PCs and more than 600 servers to limit the spread of the ransomware. Despite these efforts, the attack led to Sky Lakes upgrading its enterprise system, including 2,000 computers, to ensure hardware cleanliness and software updates.

Lessons Learned

The ransomware incident and recovery process highlighted several lessons for Sky Lakes Medical Center. One crucial realization was the importance of having well-practiced disaster recovery plans and strong partnerships with tech vendors. These elements proved vital in maintaining patient care during the attack and recovery.

Stewart emphasized the importance of immutable backups, which were not impacted by the ransomware and allowed the IT team to recover systems quickly. The use of Cohesity backups operating on Cisco’s hardware enabled almost immediate system recovery after the attack.

The incident also underscored the need for constant vigilance and proactive security measures. Stewart noted that any new project or application must prioritize security. The team at Sky Lakes has since strengthened its overall cybersecurity posture and completed several long-hanging projects to prevent future attacks.

The Vulnerability of Rural Hospitals

Rural hospitals like Sky Lakes are particularly vulnerable. They often lack the financial resources and staffing to implement robust cybersecurity measures. The recent White House initiative, supported by tech giants like Microsoft and Google, aims to address this vulnerability by providing grants, discounts, and consulting services tailored for smaller hospitals. This initiative is a crucial step in fortifying the defenses of rural healthcare facilities, which serve as the primary, and often only, source of advanced medical care for many communities.

The Impact on Communities

The closure of Sky Lakes Medical Center had a profound impact on the community. Patients requiring regular treatments had to travel great distances, often through hazardous conditions. The emotional and physical toll on patients and their families was immense. This scenario is not unique to Sky Lakes; it could happen to any rural hospital, highlighting the critical need for robust cybersecurity measures.

A Call to Action

As healthcare professionals, we must advocate for stronger cybersecurity protocols. This includes regular training on recognizing phishing attempts, implementing advanced endpoint detection systems, and ensuring that backup systems are secure and functional. The stakes are incredibly high. A breach can disrupt patient care, compromise sensitive information, and erode trust in healthcare institutions.

The incident at Sky Lakes Medical Center serves as a poignant reminder of how close to home these threats can strike. The new federal efforts to bolster cybersecurity in rural hospitals are a positive step, but we must all remain vigilant and proactive. By prioritizing cybersecurity, we can protect our patients, preserve the integrity of our healthcare systems, and ensure that we are prepared to face the evolving landscape of digital threats.

The intersection of healthcare and technology offers remarkable opportunities but also presents significant risks. It is imperative that everyone in the healthcare sector, from administrators to frontline staff, recognizes the importance of cybersecurity. Only by doing so, can we truly safeguard our institutions.