Could Anything Have Saved Saint Margaret’s Hospital?

Spring Valley, Illinois is a city of 5,582 located 100 miles southwest of Chicago in rural Bureau County. Its hospital, St. Margaret’s, had the distinction this month of becoming the first healthcare facility in the US to close as the result of a ransomware attack. The closure reveals the real-life impact of digital threats. According to Spring Valley’s mayor, Melanie Malooley-Thompson, some residents will now have to travel about a half to reach the nearest emergency room and obstetrics services. That’s a long time to travel in an emergency.

A ransomware attack on a hospital can result in rerouting of ambulances, delays in treatment and patients receiving incorrect doses of medication.

A ransomware attack on a hospital can result in rerouting of ambulances, delays in treatment and patients receiving incorrect doses of medication. Indeed, such delays can be fatal.  Numerous studies have linked hospital downtime due to ransomware attacks and increased mortality rates. For instance, a ransomware attack on a hospital in Dusseldorf, Germany in 2020 contributed to the death of a woman who needed urgent treatment for an aortic aneurism.

Malooley-Thompson said, “The hospital closure will have a profound impact on the well-being of our community. This will be a challenging transition for many residents who rely on our hospital for quality healthcare.”

The attack that put Saint Margaret’s out of business actually occurred two years ago. And, it had no impact on the delivery of care. Rather, it prevented the hospital from submitting claims to Medicare, Medicaid and private health insurers—but it was too much for the hospital, reeling from COVID-19, to handle. Sister Suzanne Stahl, char of SMP Health, the hospital’s parent organization, said, “Due to a number of factors, such as the Covid-19 pandemic, the cyberattack on the computer system of St. Margaret’s Health, and a shortage of staff, it has become impossible to sustain our ministry. This saddens us greatly.”

The shuttering of Saint Margaret’s also made an impression on David Anderson, Chief Information Security Officer at Ensemble Health Partners, a healthcare revenue cycle management company. Anderson, who is a nurse by training, spent 27 years in cybersecurity roles in the US military and intelligence community.

David Anderson, CISO of Ensemble Health Partners

Anderson grew up in a rural area, so he understands the devastating consequences of a hospital closure. To him, the challenges facing Saint Margaret’s are common throughout the industry, but particularly difficult for facilities located outside of urban areas. He said, “We have a massive shortage in staffing. It’s very difficult to find and maintain qualified staff. And, when you’ve got the tight budgets that these smaller hospitals have, they have to make a choice between security and care.”

As he put it, “If it comes down to it, are you going to buy another CT scanner so you can provide care or are you going to put your money in something that still might be a little bit more nebulous, and you’re not certain what kind of impact you’re going to have?”

Anderson thinks the reality of Saint Margaret’s may change that calculus for other healthcare providers. As he said, “It comes down to a question of what’s our what’s our primary mission is patient care? Security is often viewed as a cost center rather than essentially insurance against an existential threat.” Now, the existential nature of the threat is manifest.

One relatively easy step for small, rural hospitals to take, according to Anderson, is to join the Health Information Sharing and Analysis Center (H-ISAC). This non-profit organization offers healthcare organizations a community and forum for coordinating physical and cyber threat intelligence. It costs $2,400, but that’s a tiny investment considering the potential benefits. “Joining H-ISAC can bring smaller facilities up to speed on the latest incident response playbooks,” Anderson added.

If it comes down to it, are you going to buy another CT scanner so you can provide care or are you going to put your money in something that still might be a little bit more nebulous, and you’re not certain what kind of impact you’re going to have? – David Anderson, CISO of Ensemble Health Partners

The staffing problem will not solve itself, however. For this, Anderson, and others, are pleased that the federal government is starting to focus on the issue. Last month, Missouri Senator Josh Hawley introduced legislation, S.1560, the Rural Hospital Cybersecurity Enhancement Act, which proposes to have the Cybersecurity and Infrastructure Security Agency (CISA) help rural hospitals with cyber workforce development. It’s hard to tell, based on the language of the bill, how this will actually work, but the underlying idea is a good one.

Senator Hawley is right to pay attention to this issue. The healthcare sector is at risk, with research in 2020 revealing that a third of healthcare organizations worldwide were victims of ransomware attacks. The pace of attacks does not appear to have let up.

It’s also probably time to factor in the bigger picture in these attacks. The identity of the attackers is not a complete mystery. They are predominantly criminal gangs, three quarters of whom come from Russia, according to the U.S .Department of the Treasury.

Only the naivest observer would wonder why gangs in Russia, which operate with the permission, or at the direction of the Putin regime, would target American healthcare providers. Yes, there’s money in it, but as the closure of Saint Margaret’s shows, the attacks also destabilize American communities. Given the proxy conflict in Ukraine, it would appear logical that Russia would attempt to attack the United States in any way it could. These are arguably acts of cyber terrorism, so it might be wise to consider responses and countermeasures that align with this interpretation of events.