July 19, 2022 By Mike Elgan 3 min read

Major ransomware attacks are scary, but against hospitals, they are even worse. One notable attack in August 2021 forced Ohio’s Memorial Health System emergency room to shut down (patients were diverted to other hospitals). In all hospital attacks, the health, safety, privacy and lives of patients face risk. But this incident also shows that whether targets are hospitals or any other kind of organization, the time and money spent preventing attacks is almost always worth it. 

But what do you do if protective measures fail? What can be done once an attack is already happening? 

One health care IT director set a fantastic example of what to do when an active ransomware attack was detected. 

His name is Jamie Hussey, and he works for Jackson Hospital in Florida, one of the dozens of hospitals to have been targeted for ransomware attacks in the U.S. recently. It all started near midnight on a Sunday night in early January. Staff in the emergency room called IT to say doctors couldn’t access patient charting records. Hussey found that ransomware had infected the charting software, which an outside vendor maintained. 

All IT departments should study what happened next as an example of what to do right. 

How to Contain a Ransomware Attack

Hussey quickly urged radical action. Shut the entire hospital’s computer systems down right away, he urged. They complied. Under a planned contingency called downtime procedures, hospital staff started using pen and paper to record data and communicate. Health care workers wrote prescriptions out by hand. 

IT staff then looked into the nature of the attack. They found that attackers encrypted files using the Mespinosa ransomware on a computer Jackson Hospital used to store documents not related to patient records. (Attackers have used Mespinoza against hundreds of targets, including health care and health-related organizations.)

The team then thoroughly checked their complete list of hospital computer systems for infection. Once found clean, they re-connected them to the network one by one. Lastly, the team brought the infected ER charting system back online. 

The Diagnosis

The main takeaway is not that organizations can thwart a ransomware attack after it has begun, but that preparation enabled containment. Everything that occurred at Jackson Hospital was part of a plan

For example, the moment a ransomware attack is discovered is not the time to gather stakeholders or leaders together to begin arguing and negotiating over whether or not to shut down computer systems organization-wide. 

In hospitals, doctors and surgeons are in the positions of highest authority over life-and-death issues. It’s easy to imagine that in the heat of the moment, doctors could overrule security staff over shutting down computer systems in an emergency room, causing needless risk to patients and patient records.  The decision to shut down in the event of the discovery of a ransomware attack in progress must be made in advance and agreed to by all involved. 

In press interviews, Hussey acknowledged extreme organizational pushback against taking all systems offline. But as he pointed out, that’s often the difference between a major and minor disruption. 

Ransomware Preparedness 

As part of the policy and cybersecurity training, a set of practices and policies for functioning while systems are down is a big part of surviving a ransomware attack. Systems may be down for hours, days or weeks.

The bottom line is that ransomware prevention is the best medicine. But, prevention is only one part of preparation. The other part is acting fast and doing the right things if a ransomware attack actually occurs. Quick action by the hospital’s IT director saved the organization from a widespread and catastrophic ransomware attack.

More from Healthcare

Cost of a data breach 2023: Healthcare industry impacts

3 min read - Data breaches are becoming more costly across all industries, with healthcare in the lead. The 2023 Cost of a Data Breach Report analyzes data collected from March 2022 to March 2023. Healthcare remains a top target for online criminal groups. These data breach costs are the highest of any industry and have increased for the 13th consecutive year. Healthcare is a highly regulated industry that the U.S. government considers critical infrastructure. As such, recent federal privacy standards, security standards and…

Cyberattackers target the Latin American health care sector

3 min read - Cyberattacks on the healthcare sector are a growing threat in Latin America, and the large amount of confidential data these organizations handle makes these attacks a top concern. The value of healthcare data in the illegal market, such as the personal, medical and financial information of patients and healthcare companies, creates an appealing target for threat actors. This can have serious consequences for the privacy and information security of these organizations. Cyberattacks could lead to reputational risks, interruption of operations,…

Increasingly sophisticated cyberattacks target healthcare

4 min read - It’s rare to see 100% agreement on a survey. But Porter Research found consensus from business leaders across the provider, payer and pharmaceutical/life sciences industries. Every single person agreed that “growing hacker sophistication” is the primary driver behind the increase in ransomware attacks. In response to the findings, the American Hospital Association told Porter Research, “Not only are cyber criminals more organized than they were in the past, but they are often more skilled and sophisticated.” Although not unanimous, the…

Reporting healthcare cyber incidents under new CIRCIA rules

4 min read - Numerous high-profile cybersecurity events in recent years, such as the Colonial Pipeline and SolarWinds attacks, spurred the US government to implement new legislation. In response to the growing threat, President Biden signed the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) in March 2022. While the law has passed, many healthcare organizations remain uncertain about how it will directly affect them. If your organization has questions about what steps to take and what the law means for your…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today