Business Continuity Management / Disaster Recovery , Fraud Management & Cybercrime , Governance & Risk Management
Attack Hits Small Rural Georgia Hospital, Nursing Home
Memorial Hospital and Manor Tapping Its Experience Dealing With Downtime ProceduresA small community hospital and its nursing home in rural Georgia have resorted to paper charts and other manual process for patient care as they deal with a ransomware attack discovered Saturday that knocked its electronic health records and other IT systems offline.
See Also: How Overreliance on EDR is Failing Healthcare Providers
Memorial Hospital and Manor, an 80-bed hospital and 107-bed long-term care facility, along with Willow Ridge, a 22-bed personal care facility, is owned and operated by the Hospital Authority of the City of Bainbridge and Decatur County.
Memorial Hospital and Manor's IT systems, including EHRs and email, have been offline since Saturday morning when employees detected the incident, Jamie Sinko, a Memorial Hospital and Manor spokeswoman, told Information Security Media Group.
The organization also posted a notice on its Facebook page on Sunday alerting the community of the incident.
"ATTENTION!!! This is to inform you that Memorial Hospital and Manor is experiencing a ransomware incident," the notice said. "This impacts access to our Electronic Health Record system. While we believe this issue will not impact either the level or the quality of care we provide to our patients, we want to be fully transparent regarding this situation."
This attack was discovered when employees saw notifications of potential risks found by the hospital's virus protection software, the notice said.
"Once we learned about the incident, we immediately initiated an internal investigation and are working toward a solution. We are currently evaluating our options for restoration and recovery at this time," the notice said.
Fortunately, Memorial Hospital and Manor's staff has had recent practice working under downtime procedures, including manually charting patient charts, during an upgrade of its Meditech clinical systems over the summer, Sinko said. In addition, Memorial Hospital and Manor's staff get periodic training to deal with unexpected downtime situations, she said.
"Our CT and other systems are still working. Our staff is scrubbing computers, trying to bring them back online as quickly as possible," she said.
An investigation into the incident is still in the early stages, so Sinko said she could not say whether data and IT systems were encrypted by the ransomware or whether any data was exfiltrated by the attackers. She also could not comment on whether any particular cybercriminal group has taken credit for the attack or demanded Memorial Hospital and Manor to pay a ransom.
Fortunately, so far, the hospital has not had to turn away emergency room or other patients, she said.
"We're a small rural hospital. Everything is taking longer, but so far we're still able to care for our patients, "she said.
Cyberattacks that potentially disrupt patient care provided by small and rural hospitals and related healthcare organizations are a top concern of U.S. federal authorities.
"When you go into rural America, you're potentially talking about hours to get to another healthcare institution," said Nitin Natarajan, deputy director of the Cybersecurity Infrastructure and Security Agency, during an interview with ISMG during a recent HIPAA summit in Washington D.C. (see: Why Shoring Up Cyber at Rural, Small Hospitals Is Urgent).
"The criticality in these communities to make sure these healthcare organizations can continue to deliver emergency care and subsequent care truly is critical," he said.
So, providing cybersecurity resources to aid healthcare entities in rural communities to build resilience against cyberthreats is absolutely imperative, he said. But compounding the challenge is that small and rural healthcare organizations often don't know where to start or how to make use of available cyber resources, he said.
CISA, the U.S. Department of Health and Human Services and other federal agencies are working to improve awareness of resources that small and rural healthcare providers can tap to improve their cybersecurity posture, he said.
Small and rural healthcare organizations can start by using local cybersecurity help offered by CISA through many communities in the U.S., Natarajan said, as well as take advantage of free or low-cost programs offered by some private sector companies, including Microsoft and Google (see: Microsoft, Google Offering Cyber Help to Rural Hospitals).
Additionally, over the last year, a handful of proposals aimed to help rural hospitals improve their cybersecurity have been introduced in Congress, but so far, none has gained much traction (see: Bill For Rural Hospital Cyber Skills Passes Senate Committee).