WASHINGTON (AP) 鈥 Cybersecurity experts are warning that hospitals around the country are at risk for attacks like the one that is , and that the U.S. government is doing too little prevent such breaches.
Hospitals in recent years have shifted their use of online technology to support everything from telehealth to medical devices to patient records. Today, they are a favorite target for internet thieves who hold systems' data and networks hostage for hefty ransoms, said John Riggi, the American Hospital Association鈥檚 cybersecurity adviser.
鈥淯nfortunately, the unintended consequence of the use of all this network and internet connected technology is it expanded our digital attack surface,鈥 Riggi said. 鈥淪o, many more opportunities for bad guys to penetrate our networks.鈥
The assailants often operate from American adversaries such as Russia, North Korea and Iran, where they enjoy big payouts from their victims and face little prospect of ever being punished.
In November, a ransomware attack on a health care chain that operates patients from emergency rooms and postpone elective surgeries. Meanwhile, a it was permanently closing last year because it couldn鈥檛 recover financially from a cyberattack. And who were receiving treatment at a Pennsylvania health network after the system was hacked last year.
Now, one of the top children's hospitals in the country, the Ann & Robert H. Lurie Children鈥檚 Hospital of Chicago, has been forced to put its phone, email and medical record systems offline as it battles a cyberattack. The FBI has said it is investigating.
Brett Callow, an analyst for the cybersecurity firm Emsisoft, 46 cyberattacks on hospitals last year, compared with 25 in 2022. The paydays for criminals have gotten bigger too, with the average payout jumping from $5,000 in 2018 to $1.5 million last year.
鈥淯nless governments do something more meaningful, more significant than they have done to date, it鈥檚 inevitable that it鈥檒l get worse,鈥 Callow said.
Callow believes the government should ban cyberattack victims such as hospitals, local governments and schools from paying ransoms. 鈥淭here鈥檚 so much money being paid into the ransomware system now there鈥檚 no way the problem is going to simply go away on itself,鈥 he said.
The dramatic increase in these online raids has prompted the nation鈥檚 top health agency to .
The Department of Health and Human Services said it will rewrite the rules for the -鈥 the federal law commonly called HIPPA that requires insurers and health systems to protect patient information 鈥 to include new provisions that address cybersecurity later this year.
The department is also considering new cybersecurity requirements attached to hospitals鈥 Medicaid and Medicare funding.
鈥淭he more prepared we are the better,鈥 said Deputy Secretary Andrea Palm.
But, she added, some hospitals will struggle to protect themselves. She is worried about rural hospitals, for example, that may have difficulty cobbling together money to properly update their cybersecurity. HHS wants more money from Congress to tackle the issue, but Palm said the agency doesn鈥檛 have a precise dollar amount its seeking.
鈥淚t鈥檚 important to note that this has to come with resources," Palm said. "We can鈥檛 set the industry up not to be able to meet requirements.鈥
Becoming the victim of a cyberattack is costly, too. The attacks can put hospitals鈥 networks offline for weeks or months,
In Chicago, Lurie hospital鈥檚 network has been offline for two weeks. The hospital, which served more than 260,000 patients last year, has established a separate call center for patients' needs and resumed some care.
On Thursday, Lurie鈥檚 surgeons operated on Jason Castillo鈥檚 7-month-old daughter mostly by hand, without some of the high-tech devices usually used.
His daughter鈥檚 planned heart surgery was postponed on Jan. 31, when the hospital found itself under cyber siege. The surgeon talked to Castillo before his daughter was wheeled in for a six-hour surgery, promising that he felt confident he could do the procedure despite the ongoing cyberattack.
鈥淪he鈥檚 doing fantastic,鈥 Castillo said of his daughter, who is now recovering at home. 鈥淚t feels like a huge cloud has been lifted from our household.鈥
Even once Lurie has restored their network, it'll likely take months of behind-the-scenes work for the hospital to fully rebound, Callow said.
鈥淭hese incidents can affect everything from patient care to payroll,鈥 Callow said. 鈥淔ully recovering can take months, it鈥檚 not simply a matter of flicking a switch and everything comes back on."
___
Associated Press writer Kathleen Foody in Chicago contributed to this report.
Amanda Seitz, The Associated Press
