Healthcare , Incident & Breach Response , Industry Specific
Cyberattack Diverts Patients From Rural Idaho Hospital
Ambulances Being Diverted to Other Facilities; Clinic Care LimitedA community hospital and its affiliated clinics in rural Idaho are diverting ambulances and patients to other facilities as they recover from a cyberattack discovered on Monday.
See Also: Enterprise Browser Supporting Healthcare, Cyber Resilience
The incident affects 44-bed Mountain View Hospital and 88-bed Idaho Falls Community Hospital, which share the same campus and some mutual owners. Also affected are several partnering clinics around Idaho Falls, which is a rural community with a population of about 68,000.
Idaho Falls Community Hospital, which runs the emergency department of the joint hospital campus, was still diverting ambulances to other hospitals on Wednesday.
Clinics that partner with the hospitals are also limiting some patient services. The website of Mountain View RediCare says the clinic is "currently closed due to a cyberattack on our computer systems resulting in our downed network."
An Idaho Falls Community Hospital spokesman on Wednesday told Information Security Media Group that the hospitals are still addressing the cyber incident. "Patient safety is our top priority," he said.
The affected facilities have reverted to using paper for patient charting, as the electronic medical records and other IT systems have been taken offline during the incident response, he said.
Right now there are no projections on when IT systems will be back to operating normally. "We're making sure the systems are flushed," the spokesman said. He declined to say whether the incident is believed to involve ransomware.
Bigger Problems
Security firm Emsisoft has counted 15 healthcare systems operating 29 hospitals that have been hit with ransomware incidents so far in 2023. Data was stolen from 12 of the 15 healthcare organizations affected.
"While hospitals tend to downplay the impact of cyberattacks, they do represent a very real risk to patient safety - and that's perhaps especially true when patients in need of emergency care are redirected," said Brett Callow, threat analyst at Emsisoft.
Cyberattacks continue to afflict healthcare sector entities of all types and sizes, but the incident affecting the Mountain View and Idaho Falls Community hospitals and affiliated clinics spotlights the immense cyber challenges that many small and rural hospitals face.
"Small and rural hospitals have so many competing priorities," said Kate Pierce, the former longtime CIO and CISO of North Country Hospital, a 25-bed community hospital in Vermont.
"They have a much smaller staff and a lot of times they just don't have the resources in house to address their cyber needs," Pierce told Information Security Media Group.
"Those cyber needs have grown so quickly, and they're so abundant now that they often just can't keep up with the needs of protecting their environment," said Pierce, who is currently virtual information security officer and executive director of the subsidy program at Fortified Health Security.
"We're getting past where rural hospitals used to feel like, 'Oh, nobody's going to target us because we're rural.' They're starting to realize now that it doesn't matter where you are in the world, or whether you're rural or you're a large facility. You can still be attacked by cybercriminals."
The lack of cyber talent that many small, rural facilities struggle with is a problem during disruptive attacks - and that has caught the attention of Congress.
Pierce was among witnesses who testified in March at a Senate Homeland Security and Governmental Affairs Committee hearing examining the cyber challenges faced by the healthcare sector (see: Healthcare Leaders Call for Cybersecurity Standards).
Sens. Josh Hawley, R-Missouri, and Gary Peters, D-Michigan, earlier this month introduced the bipartisan Rural Hospital Cybersecurity Enhancement Act, which aims to help address the shortage of cybersecurity skills facing rural hospitals (see: Bipartisan Bill Aims to Shut Rural Hospital Cyber Skill Gaps).
Among other proposals, the bill would require the Cybersecurity and Infrastructure Security Agency to develop a comprehensive cybersecurity workforce development strategy for healthcare facilities located in "non-urbanized" areas that provide inpatient and outpatient care services, such as primary care, emergency care and diagnostic services.
"Rural hospitals do not necessarily have a large talent pool unlike urban areas, and rural hospitals typically pay less, said attorney Lee Kim, senior principal of cybersecurity and privacy of the Healthcare Information and Management Systems Society.
"The intentions are good, but the question is whether there is the political will to get this through both chambers," she said. "There is a moderate chance that this bill could gain momentum. The real question is whether this bill will solve the problem of cybersecurity workforce shortage in rural hospitals."