The Brooklyn Hospital Center in New York has notified patients of a security incident involving malware that infiltrated some of the organization’s data servers.
Officials became aware of the ransomware attack at the 464- bed, community teaching hospital located in downtown Brooklyn in July when they noticed unusual activity relating to certain hospital servers. An investigation determined it was malware that encrypted certain systems and had disrupted the operation of some of the hospital’s data servers, although officials attest that there is no evidence that data was actually accessed or acquired by the attackers.
But then in September, hospital officials got more bad news. The investigation confirmed that due to the malware, certain patient data was unrecoverable. “While our recovery efforts are ongoing, based on this determination, we are undertaking a diligent review of the patient data that may be potentially impacted by this event and taking steps to notify those individuals whose records may no longer be available. To date, we are unaware of any actual or attempted access to or misuse of medical or personal information,” hospital officials stated.
The unrecoverable information may have included patient names and certain dental or cardiac images, they noted, adding that they are “reviewing policies and procedures relating to data security and taking steps to enhance our existing security protocols.”
While there have been differing reports on if ransomware attacks on healthcare organizations are on the rise or not—some believe they actually decreased in 2018—industry cybersecurity professionals are still concerned about these types of incidents since the impact on the victim organization can be quite significant.
For example, notes Clyde Hewitt, executive Advisor at Texas-based cybersecurity company CynergisTek, the typical hospital can expect to lose $100,000 per bed over the 60-day period it takes a hospital to recover from a widespread ransomware event to the point from which their patients’ insurance plans start paying again. For most providers, he says, “this has significant cash-flow implications. While most of the claims are eventually paid, hospitals should expect a 6 to 10 percent reduction due to lost charge capture for the period they had to operate with paper medical records.”
Beyond that, ransomware attacks impact not only clinical systems, “but can also stop all back-office functions such as timekeeping, payroll, HR, physical security systems, contracts, and supply chain management,” Hewitt says. “For organizations that can survive the cash flow, immediate recovery cost, and then the long-term remediation cost to address the issues that lead to the attack, they can expect their capital investments in new clinical-facing technology to be adversely impacted for a minimum of a year or even longer.”