Central Maine Medical Center in Lewiston, photographed in August 2021. (Andree Kehn/Staff Photographer)
LEWISTON — The cyber incidents that shut down computer and technology systems at several hospitals across Maine came at a time when such attacks on hospitals and health care providers are on the rise nationwide.
St. Mary’s Health System in Lewiston, owned by Covenant Health, reported a cyber incident in late May, while Central Maine Healthcare, which operates Central Maine Medical Center in Lewiston as well as hospitals in Bridgton and Rumford, noticed unusual software activity on June 1 and shut down all technology systems.
Some patients have since been unable to access appointments, health data and medication refills, even while awaiting emergency surgeries or crucial medical imaging results.
From 2018-22, there was a 93% increase in large health care breaches reported to the U.S. Department of Health and Human Services, with a 278% increase in large breaches involving ransomware, according to Peter Cassell, a public affairs specialist at the department’s Administration for Strategic Preparedness and Response.
We spoke with Cassell last week to better understand why these attacks happen and what hospitals can do to protect patient health and data.
Why are hospitals in the U.S. seeing an increase in cyber attacks? Why is this data valuable to hackers?
The health care and public health sector, which includes hospitals, continues to be one of the most targeted industries for cyberattacks.
This sector is particularly attractive to cyber attackers because of the wealth of sensitive information stored at facilities within the sector and the massive disruption that can be created when impacting the critical services health care facilities provide.
How are these attacks carried out?
Ransomware attacks are one of the biggest threats we continuously see happening. We’re also seeing social engineering and phishing, loss or theft of equipment or data, insider threats, and attacks against connected medical devices as areas of major concern.
Cyber criminals employing ransomware often use a tactic called double extortion, where they lock down critical systems and offer to unlock them for a hefty ransom in addition to threatening to sell the sensitive data unless paid a second ransom. Organizations often face impacts to patient care, high costs of rebuilding their systems, and a loss of patient trust in these incidents.
Are there any trends on where these attacks happen?
The health care and public health sector remains among the largest targets, along with the transportation, banking and water sectors.
A report in JAMA Health Forum indicated that cyber incidents on hospitals have surged. In their cohort study from 2016-21 on 374 ransomware attacks, the annual number of ransomware attacks on health care delivery organizations more than doubled, exposing the personal health information of nearly 42 million patients.
Are hospital IT systems more susceptible to these kinds of attacks than those of other sectors?
Hospital IT systems are not particularly more susceptible to these kinds of attacks, but they do contain more of the information that cyber criminals consider valuable.
Think of patient Social Security numbers and other personal private health data, for example. Our goal is to help these systems protect themselves with actions they can take every day to be more cyber healthy and to assist in responding to attacks when they occur.
What should a hospital or health care provider do as soon as they are notified of a cyber attack?
The FBI cybercrime homepage outlines how, when and who to report a cyber incident to, links to additional resources such as annual reports, industry alerts and ransomware information, as well as answers to FAQs. It can be accessed here: https://www.ic3.gov/.
What can hospitals do going forward to prevent attacks and keep patient data safe?
The Healthcare and Public Health Cybersecurity Performance Goals or HPH CPGs provide a roadmap for organizations to implement essential and enhanced goals representing best practices for cybersecurity — this really helps organizations tackle cybersecurity in a way that seems less daunting.
As the Lewiston hospitals work to recover technology systems, patients continue to speak out online and share their stories. This wave of cyber incidents can be an opportunity for Mainers to learn more about attacks and how to prevent them on their own devices.
