Chicago pediatric hospital Lurie Children’s has been forced to take its network offline in the face of a “cybersecurity matter” as experts warn of heightened threats against health systems across the country.
Late Thursday, Lurie Children’s Hospital, which uses Epic System’s electronic health record software, said it was “actively responding” to the issue and working with experts and law enforcement. While the Illinois hospital is still open, it preemptively disabled its phone, email and electronic medical system, disrupting scheduled surgeries and making it harder for patients’ families to reach doctors, CBSNews reported. The disruptions reportedly began Wednesday.
The news comes as regulators and experts sound the alarm on growing cybersecurity threats. Late last month the Department of Health and Human Services published voluntary cybersecurity goals for the health sector, after a 2023 report warned of “dramatic increases” in cyber attacks that “compromise US hospitals, disrupt operations and extort for financial gain.”
“Directly targeted ransomware attacks aimed to disrupt clinical operations are an outsized and growing cyber threat to hospitals,” the 2023 report said.
Lurie Children’s has not clarified whether the incident it faces is a cyber attack, and did not respond to multiple inquiries from STAT.
Data breaches in the health sector reached an all-time high last year, impacting as many as 116 million patients, largely due to an increase in hacking and IT incidents, STAT has reported. That’s more than double the number of people impacted the previous year.
Last year even topped 2015’s outlier record in which breaches at Anthem, Premier Blue Cross and Excellus exposed data from tens of millions of people, tipping the total number impacted to more than 112 million.
A few dozen health organizations, including clinics, health systems and insurers, have already reported breaches related to hacking or IT incidents to the federal government this year.
In late December, an “unknown actor” copied patient data from Chicago’s Saint Anthony Hospital network, the hospital said in a public notice last week. Saint Anthony is still investigating how many patients and what kind of information were impacted.
Ransomware attacks have increased so dramatically because health systems are using connected medical devices, cloud services, and remote work systems that expand the potential attack entry points for hackers, the American Hospital Association’s national cybersecurity and risk advisor John Riggi told STAT.
“These technologies have improved patient outcomes and saved lives, there’s no doubt,” Riggi said. But it’s almost impossible for providers with limited staff, time and technical expertise to keep up with all the new vulnerabilities these increasingly complex networks incur.
These days, ransomware attacks typically originate in countries like Russia, China, North Korea and Iran, often with tacit permission from their host governments, Riggi said. And there’s an active underground hacking economy: people who steal employee credentials to gain access to the network, as well as ransomware developers, who sometimes sell the malware to less technically sophisticated hackers.
“This is a national security issue,” Riggi said — especially if people with urgent conditions, like heart attack and stroke patients, can’t get immediate care. AHA strongly discourages paying ransoms, he explained.
He added that hackers are increasingly violating their own code of ethics stopping them from attacking society’s most vulnerable people. Though he couldn’t comment on the Lurie incident case specifically, which has not attributed the incident, he called interfering with children’s health a “new low.”
“It is heinous to attack a children’s hospital or any specialty hospital because there may not be a nearby diversion options for their patients.” he said.
Adversaries see health and public health organizations as “high value yet relatively easy targets– or what we call target rich, cyber poor,” Nitin Natarajan, deputy director of the federal Cybersecurity & Infrastructure Security Agency told STAT in a statement. “Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for an adversary.”
The threats aren’t limited to hospitals: This week FBI director Christopher Wray warned Congress that state-sponsored Chinese hackers are targeting U.S. infrastructure, including the power grid. Still, there’s no indication that Lurie’s incident is related to any such national security threat.