A devastating hack revealed the perils of opening a phishing email

Last year, employees at Sky Lakes Medical Center in Klamath Falls learned that attention to information security is a form of patient care.

When the hospital’s information security defenses failed last October, clinicians’ ability to access patient history, view patient images and obtain patient medication and laboratory results disappeared in minutes. Patient monitoring systems went dark while physician orders and clinical charting were reduced to handwritten notes. Transport-tube outages meant plastic bin pick-up and “sneaker-net” delivery of patient samples across the hospital.

Clinicians were forced to provide patient care for 23 days without access to Epic, and even longer without corporate email and other patient care or business operations systems. Patient services became limited to emergency and outpatient care; other patients had to wait to be treated as pressed staff worked overtime.

How did this happen? A Sky Lakes employee was fooled by a phish email and clicked a link, and Sky Lakes computers were not configured to resist the “ransomware” released by the click.

Hospitals across the globe have fallen prey to ransomware and the ensuing sudden lurch from high patient care efficiency gleaned from an electronic medical record to the slow, labor intensive and manual paper patient care practices of many years ago.

One study found that in 2020, 600 clinics, hospitals and health care organizations were attacked by 92 individual ransomware attacks, affecting 18 million patient records in 2020. Ransomware is a type of malicious software designed to block access to a computer system until money is paid. Ransomware seems to strike without warning. Once a phish email is clicked, it detonates on impact and its effects can spread across a computer network in minutes.

The costs of these attacks are almost $21 billion. Last fall, the FBI issued a warning that more ransomware is expected, posing “an increased and imminent cybercrime threat to U.S. hospitals and health care providers.”

To make matters worse, recent ransomware attacks appear to be expanding their extortion practices and impact on patient well-being. In addition to creating system outages, cybercriminals have begun publishing patient data found on ransomed computers. These patients suffered an invasion of privacy and a loss of integrity to their medical record due to a preventable ransomware incident.

Asante information security officer David Kennington urges all Asante staff to exercise caution when electronically interacting with any other party.

“Every employee plays a critical role in properly safeguarding and using patient and confidential information and resources,” he said. “Understanding the threats and being able to identify potential phishing emails are key to protecting the patients we serve.”

Keep in mind that Asante’s ability to provide our best patient care and meet our Mission can stop suddenly — and for a painfully long period of time — if employees aren’t vigilant or fail to report system security vulnerabilities.