It’s been seven days since Lurie Children’s Hospital first cited a “network outage that impacts internet and phone service.” The systems have been offline since Jan. 31, and there’s no telling when they’ll be back up and running.
In an online statement last updated Monday night, Lurie described the issue as a “cybersecurity matter.” The same language was used in an email sent to some Lurie patient families.
Lurie hasn’t shared other information, including whether it’s a cyberattack and if so who’s behind it.
Cybersecurity expert Stel Valavanis, CEO of onShore Security, theorizes it’s the work of a sophisticated player.
“I absolutely guarantee you Lurie has very good backup systems,” Valavanis said. “I absolutely guarantee you that they’re a mature organization, they’re well-funded. If an attacker was able to really take down their systems like this, this was a pretty deep infiltration. They were probably up against somebody pretty significant.”
Lurie isn’t the first health care system to face this issue.
Chicago’s Saint Anthony Hospital on Jan. 30 announced it was victim of what it described as a “data security incident” in mid-December.
The U.S. Department of Health and Human Services is investigating hundreds of cases of breaches of “unsecured protected health information,” though not all are hacking-related privacy violations.
In late January, HHS published goals, or recommendations, that hospitals and other health care entities should take in terms of cybersecurity. But Valavanis said in his experience businesses are most moved to take major preventative measures when they’re compelled to because of government regulation.
“We talk about it like it’s an act of nature, like, ‘Oh, you’d better be ready for this because it’s going to happen.’ Well, how about policies?” he said. “How about compliance rules? Don’t blame the victim, but let’s put good (government) rules in place and let’s help people not become a victim again.”
Valavanis guesses in Lurie’s case, the attacker is after money, or ransom — hence the term “ransomware.”
“Let’s not assume because there may be more to it,” Valavanis said. “A nation state actor does have value in doing something like this. A nation state actor will do something like this to show that they have a certain power. They might do this to affect public opinion, and people feel unsafe.”
He said there could be a political motive or something else at play.
No entity has publicly claimed responsibility so far, which contributes to Valavanis’ presumption that it’s a money grab.
He also said cryptocurrency has opened the door to monetizing cybercrime.
“I’m going to strongly guess this is financially motivated and Lurie has not put out the details yet because they’re under certain rules,” Valavanis said. “They’re going to do it very carefully and that’s why we haven’t heard more yet.”
Meanwhile, some families who count on Lurie are confused and frustrated, with patients from out of town wondering whether they should travel for an appointment or whether a procedure is canceled. Some parents have taken to Facebook to praise Lurie for “limping along” as best as it’s able under the circumstances.
By and large, parents can’t depend on mass emails or automated appointment reminders. Patients who try to log in to the MyChart electronic records portal receive an error message.
Lurie said per the protocol for situations like this, it has taken down all network systems, which means no external emails or phone calls.
The hospital set up a call center (1-800-543-7362) that’s open from 8 a.m. to 8 p.m. and answers basic frequently asked questions on its website.
“Our investigation remains ongoing and we are working around the clock to resolve this matter,” a statement reads on the page. “Please understand this process takes time and know that we have highly experienced, capable, and empathetic teams of both internal and external experts responding to this matter.”
Lurie said it is “taking steps to mitigate the disruption and maintain continuity of care” and is working with law enforcement.
A responder at the call center said patients should still go to appointments unless they hear otherwise from a provider.
Still, there’s fear this could impact and delay children’s care.
One mom whose child had to visit Lurie’s emergency room Monday night said things were slow because staff had to rely on paper rather than computers and couldn’t immediately look up old patient files. Hospital wristbands weren’t printed; they were made of paper.
It’s also unclear what financial hit this could mean for Lurie or its insurer.
What personal health information may have been compromised, if any, is also unknown.
Valavanis said on a personal level, individuals need to follow advice that’s common for good reason: Use a password manager, don’t reuse passwords, don’t open suspicious emails attachments and links and make sure your computer’s antivirus software or endpoint detection systems are up to date.
Contact Amanda Vinicky: @AmandaVinicky | [email protected]