Closeup on an attack: Why rural hospitals need extra cybersecurity help

Last week the White House announced that it was sponsoring an effort to help rural hospitals cope with the overwhelming number of cybersecurity attacks that have been targeting them in recent years. Microsoft and Google stepped up to help out with the initial effort, and the White House hopes that other security and tech firms will join as well.

Healthcare in general has been under the crosshairs from attackers in recent years, with a new intelligence community report saying that attacks are up 128% year over year, with 258 known attacks in 2023 versus just 113 in 2022. But those figures don’t account for the vulnerabilities faced by many rural healthcare organizations that don’t have the money or resources to invest heavily in cybersecurity protections. 

In addition to weaker cybersecurity protections, another concern is the oversized impact that the loss, even temporarily, of a rural hospital has on the people who live in the area. Rural hospitals, which are defined by the White House as those that are at least 35 miles away from a comparable facility, may be the only good treatment option for thousands of people. Without those hospitals, emergency treatments might be delayed for hours as critical patients are transported to other far away facilities.

Thankfully, most of us have probably never been affected by the closure of a local hospital, but sometime ago I moderated a podcast about a community that really suffered when their local healthcare facility was brought down by a cyberattack. The podcast was pretty emotional, and all these recent developments and efforts to protect rural hospitals, while positive, brought back the memory of that discussion. 

The hospital in question was Sky Lakes Medical Center, a rural, not-for-profit center serving a large community of about 100,000 people in central Oregon. It’s the only facility in the area, with the next closest hospital located over 70 miles away and accessed through a mountain pass that is not always open or safe during bad winter weather. 

Sky Lakes was attacked on the morning of October 26th, 2020. The ransomware attack spread extremely quickly, and by the end of the day most of the hospital’s critical systems were encrypted and knocked offline. Poorly planned and maintained backup systems failed to activate properly, and operations were brought to a screeching halt. 

The COVID-19 crisis was in full surge at the time, and every bed in the facility was filled when the attack hit. But without computers or IT support, most patients could not safely stay there. Many patients in the 100-bed facility had to be quickly transported to other places, while operations that were being performed at the time had to be quickly wrapped up. Of course, the hospital was also closed to most new patients. 

All told, the attack brought the hospital down for over 23 days, leaving an entire community without advanced medical protection. Some systems took even longer to bring back online. It was months before Sky Lakes was fully operational again.

One of the most surprising things about the attack, according to the Director of Information Services for Sky Lakes Medical Center John Gaede, was the speed at which it spread and how fast it was able to cripple hospital operations.

“It was 3:30 in the morning and I was sleeping really well when I got the call from one of my managers saying that we had been hit with ransomware,” Gaede said. “By then our systems were already being encrypted, and we also found the ransomware note. As soon as we realized what was going on, the first thing we did was contact the other medical facilities and systems we were connected to and had them disconnect from us so the problem would be confined to just Sky Lakes.”

Investigations later revealed that an employee at the hospital received an email the day before that seemed to come from an internal source at the hospital. It congratulated the employee and offered them a bonus for their good work. The employee fell for the phishing attack and clicked on the link, which allowed the ransomware into the network by linking to a zero day exploitation site. By the next day, almost everything had been compromised.

Like most of the rural hospitals that the new cybersecurity efforts are designed to help, Sky Lakes Medical Center had an underfunded cybersecurity program, limited staff and a lack of coordination among their defensive platforms and systems.

“Prior to concentrating on COVID and implementing new systems to help with that, we were in the process of transitioning our old endpoint detection management system over to a more state-of-the-art system,” Gaede said. “We were a week into implementing those new protections, but we have a small staff so we did not yet have it fully configured, so part of our environment had the new system and part of it had the old system. We also were dealing with some existing performance issues that helped to mask the initial ransomware activation.”

To try and deal with the problem, the Sky Lakes IT staff started to restore systems from their backups, but they were not able to first remove the ransomware from their system. As such, as soon as any system was restored, it was almost immediately compromised again. They had no choice but to shut down every single system and device in the hospital to prevent further spread, effectively halting all operations. Everything was taken offline, including electronic medical records, 650 servers, email, billing systems, human resources, time cards, communications and every third party system in the hospital.

The impact on the surrounding community can’t be overstated. 

“For our community, they had to drive over 140 miles to the north to get to the next hospital in that direction or 75 miles to the west over a mountain range,” Gaede said. “So this was devastating for our community, especially for people like our radiology patients who needed to make that difficult trip to other hospitals to get their regular treatments.”

According to the White House, Microsoft will offer grants and discounts of up to 75% on security products tailored for smaller hospitals, while Google will offer free endpoint security consulting and start a fund designed to help hospitals migrate to new software. All of those programs would have been invaluable for Sky Lakes Medical Center had they been available at the time, but will hopefully be ready to help defend rural hospitals and the communities that depend on them in the near future.

“I have talked with a lot of my peers, and many healthcare systems are still like Sky Lakes in that they do not have advanced endpoint detection and remediation systems,” Gaede said. “But that is an investment, along with great backup technology, that everyone in healthcare needs to have these days.” 

John Breeden II is an award-winning journalist and reviewer with over 20 years of experience covering technology. He is the CEO of the Tech Writers Bureau, a group that creates technological thought leadership content for organizations of all sizes. Twitter: @LabGuys