INDIANAPOLIS — For the second time in weeks, Hoosier patients are caught in the middle of a hospital cyberattack.
The first attack happened to Eskenazi Health, where personal information was leaked on the dark web and now, Johnson Memorial Health is struggling to get systems back online.
Experts say hospitals and healthcare providers are becoming the newest target for hackers with an increase in cybersecurity and ransomware attacks.
“Going after a hospital system, unlike other areas, is really like hitting a treasure trove, because so much of the information they have stored about you can be really critical to stealing your identity,” said Scott Cederbaum, chief marketing officer with INE.
Right now, Cederbaum said these attacks are mostly affecting patient information, but they are also starting to affect patient care with systems being interrupted.
A recent lawsuit against an Alabama hospital alleged a baby may have died because of a ransomware attack that affected vital equipment. It’s the first lawsuit alleging someone’s death was caused in part by a hacker.
“Hospitals have been falling prey to ransomware attacks more often. This interruption could become something that is more prevalent,” Cederbaum said.
Cederbaum said after a cybercrime, hospitals need to identify what systems have been impacted and what systems do the attackers have access to. If they are unable to assess that quickly, it’s important they divert patients if they don’t think they can properly care for them.
There are three questions patients should ask before receiving care:
- “Are you currently experiencing any type of security incident or data breach?”
- “Are the critical electronic systems connected with this hospital running without interruption?”
- “What critical care systems are connected to the internet or other systems that may be vulnerable to a ransomware attack?”
“The only way we are going to get them used to being able to answer these questions is by simply starting to ask them, knowing the answers we may get on day one may not be as great as they should be a year from now,” Cederbaum said.
Back in July, Indiana adopted its “Cyber Incident Reporting” law. It requires government and public agencies, like hospitals, to report incidents within 48 hours to the state’s Office of Technology.
Cederbaum said it’s a great law, but since agencies and companies are given 48 hours, it’s still important to ask questions before receiving care.