[BreachExchange] Ransomware Attack on Rural Hospital Disrupts Services

Destry Winant destry at riskbasedsecurity.com
Tue Sep 24 10:11:04 EDT 2019


A ransomware attack late last week on a county hospital in rural
Wyoming was still causing patient care disruptions on Monday. Some
patients were sent more than 125 miles away to other area hospitals
for treatment.

Campbell County Health, which include Campbell County Memorial
Hospital, a 90-bed area trauma facility in Gillette, Wyoming,
discovered the ransomware attack Friday morning.

In a statement posted Friday, the organization said all of its
computer systems had been affected by the ransomware attack, "which
impacts the organization's ability to provide patient care. The
appropriate authorities have been notified, and efforts are underway
to restore the affected systems."

Since the attack, Campbell County Health has been periodically
updating its website about the impact the ransomware attack has had on
the hospital's patient care services.

Service disruptions on Friday included stopping the admission of new
patients to the hospital as well as the cancellation of some
surgeries. Patients also were turned away for outpatient laboratory
testing, respiratory therapy and radiology exams or procedures.

"Patients presenting to the emergency department and walk-in clinic
will be triaged and transferred to an appropriate care facility if
needed," the organization's website statement said Friday.

By Sunday, the hospital said it was continuing to have service
disruptions. "However, the emergency medical services, the emergency
department, maternal child and the walk-in clinic are open to assess
patients and treat or transfer patients as appropriate," the website

"It is advised to call to confirm your appointment prior to going in.
All patients are also asked to bring medication bottles with them to
their appointment."

By Monday morning, the hospital had still either cancelled or
rescheduled patient services in several departments, including
endocrinology, radiation oncology, cardiac rehab, radiology,
respiratory therapy, and sleep clinic services, plus surgery at the
main hospital and at its Powder River surgery center.

Transferring Patients

A Campbell County Memorial spokeswoman tells Information Security
Media Group that the rural hospital will sometimes send certain trauma
or other seriously ill patients to one of several other hospitals in
Wyoming, Montana or South Dakota depending on a patient's health

The ransomware attack, however, triggered Campbell County Health
sending more patients than usual to other hospitals, especially to
Sheridan Memorial Hospital about 125 miles away.

Some patients who had already been admitted to the hospital before the
ransomware attack are still being treated as inpatients, except in
some situations where a patient's level of care needed to be elevated,
she says. In those cases, some patients were moved to other
facilities, the spokeswoman says.

As of Monday afternoon, Campbell County Health had not provided ISMG
with an estimate of the number of hospital patients sent to other
facilities for care or the number of patients who needed to be
rescheduled for non-urgent care due to the ransomware attack.

Sheridan Memorial Hospital did not immediately respond to an ISMG
request for comment.

Planning for Disasters

A spokeswoman for Johnson County Health, a 25-bed rural critical
access hospital in Buffalo, Wyoming, about 65 miles from Campbell
County Memorial, tells ISMG that the hospital has admitted at least
one emergency room patient so far who would have otherwise been
treated at Campbell County Memorial.

"We prepare for every kind of disaster," says the Johnson County
Health spokeswoman. "In Wyoming, and other rural areas, one big
[traffic] wreck can have a big impact, including needing to divert
patients. But now ransomware has become one of those disasters to plan
for and to practice for. We do that for all kinds of emergencies."

Dustin Hutchison, a partner at IT security consulting firm Pondurance.
says hospitals need to have a plan for where to send patients in
crises, including after ransomware attacks. "Hospitals that are part
of a larger organization will usually focus on diverting patients to
hospitals within the same organization, but agreements should also be
established with other organizations within a geographical area to
ensure additional capacity in the event of a more widespread attack,"
he says.

In addition to the patient coordination, information sharing related
to the ransomware attack is beneficial to potentially help reduce the
likelihood that the receiving hospital is also affected, he adds.
"When the plans to divert patients are put in place between multiple
hospitals, under the same organization or not, an agreement related to
timely information sharing should also be established," he says.

Statewide Coordination

Wyoming's Homeland Security Office is coordinating with state, local
and federal officials on a response and investigation into the
Campbell County Memorial Hospital ransomware attack, an office
spokeswoman tells ISGM. The office as of Monday has not received
reports of any other recent ransomware attacks on Wyoming hospitals,
she says.

Campbell County Memorial is working with an outside IT security firm
to remediate the situation, but it has no timeline yet for when
services will be fully restored, a hospital spokeswoman said. The
hospital would not comment on whether it has paid a ransom to unlock
its systems, she added.

Until the hospital has regained full access to its electronic health
records system, "we've reverted back to the old fashioned way of
keeping records - paper," she says.

Other Attacks

Ransomware and other cyberattacks have caused serious disruptions to
patient care in recent years.

That includes high-profile ransomware attacks in 2016 on Hollywood
Presbyterian Medical Center in California, and MedStar Health, a
10-hospital system serving Maryland and the Washington area.

All signs point to attacks on healthcare sector entities continuing to
surge, says Caleb Barlow, CEO of security consulting firm CynergisTek.

"There are even some signs that nation-state actors are leveraging
ransomware attacks to fuel some of their efforts," he says. "The good
news is that these kinds of attacks are preventable, and, more
importantly, knowing how to respond can make all the difference."

With healthcare entities and local governments being in the crosshairs
of recent ransomware attacks - does that put public hospitals even
more at risk?

"I think this is less a matter of public hospitals being higher risk
than typically having less resources," says former healthcare CIO
David Finn, executive vice president at CynergisTek.

"That will put you at higher risk but not because they are more
targeted but [rather] less equipped. This comes down to the age old
issue of cybersecurity not being an IT or a security issue. It is a
business issue. Providers, regardless of how they are funded,
absolutely have to prioritize cybersecurity"

More information about the BreachExchange mailing list