CentraState Medical Center in New Jersey, Hospital for Sick Children (SickKids), and Queen Elizabeth Hospital (QEH) in Barbados are facing continued disruptions due to cybersecurity incidents in the last few weeks.
The ongoing outages confirm earlier warnings from American Hospital Association’s National Advisor for Cybersecurity and Risk John Riggi for the healthcare sector to remain vigilant as threat actors would remain highly active during the holiday season.
As seen with the latest Emsisoft ransomware data, ransomware attacks against the healthcare sector have remained constant in recent years. In 2022, 25 providers and their 290 hospitals were impacted by these attacks — the most notable of which was the CommonSpirit Health incident launched in the fall.
While two of the latest incidents are impacting global providers, the disruptions and the successful processes should serve as lessons for the U.S. sector and the need to prioritize patient safety when building incident response processes.
CentraState Medical Center reports care diversion processes
With a Dec. 30 post on its website, CentraState is the most recent provider to fall victim to an apparent cyberattack. Officials say the hospital is facing “some technical problems related to an IT security issue” and are operating under care diversion processes, sending incoming patients to area hospitals in response to the network outages.
The hospital is operating under electronic health record downtime procedures with paper processes, which has enabled the hospital to continue logging patient care through available records on site. Officials assert that patient care has not been adversely affected.
CentraState CEO and President Tom Scott explained to local media that the systems began showing signs of disruption during the morning shift change and the hospital isolated the affected systems in response, while shutting down the network to prevent proliferation.
Local EMS providers were also notified of the need to divert patients away from CentraState for an unspecified period of time, as it’s unclear just how long the outages will continue.
LockBit issues free decryptor after attack on children’s hospital
Meanwhile, a cyberattack struck SickKids ahead of the holidays, which has since been tied to LockBit. The threat actors posted on their site that the attack on a healthcare provider was caused by a “partner” actor, before they apologized for the attack and issued the hospital a free decryptor to remediate the situation.
A release from SickKids seemingly confirms the attribution, as hospital leaders are now assessing the possible use of the decryptor with advice and support from a third-party security firm.
It should be noted that despite their apology, this is certainly not the first LockBit attack against the healthcare sector. The SickKids' attack came just five days after a Department of Health and Human Services Cybersecurity Coordination Center alert on LockBit 3.0 attacks against the healthcare sector — reporting that multiple U.S. providers had fallen victim to the threat group.
In fact, the group was responsible for the attack on the Center Hospitalier Sud Francilien in France that revived patient safety concerns across the sector.
For SickKids, the attack and related network outages began the evening of Dec. 18, which affected several network systems and prompted a “Code Gray — system failure.” The initial evidence suggested that only a few internal clinical and corporate systems were impacted by the attack that was confirmed as ransomware on Dec. 22.
The hospital was able to maintain urgent and emergent care due to its prepared incident response plans. However, clinical teams reported delays with retrieving lab and imaging results that caused care delays for diagnostics and treatment for some patients. The incident also disrupted the typical process for processing prescriptions and internal timekeeping system.
But SickKids’ HR team initiated its emergency recovery plan to ensure the workforce was paid accurately and on time. As seen with the serious payroll disruptions after payroll vendor Kronos suffered a ransomware attack, these backup plans are crucial under the current threat landscape to ensure business continuity for critical processes.
Despite the preparation and swift action, recovery for the hospital has been slow-going. Eleven days after the attack, the hospital reported that just 50% of the systems had been recovered. As of Jan. 1, just 60% of its priority systems had been restored. Officials said “restoration efforts are ongoing and progressing well.”
For now, they’ve found no evidence personal or protected health information has been affected, nor has the hospital made a ransomware payment.
Ongoing internet, systems outage at Barbados hospital
Since Dec. 14, the Queen Elizabeth Hospital (QEH) has been responding to a cybersecurity incident that has led to care disruptions across its care sites due to a lack of internet and systems access.
The hospital has shifted its pharmacy processes, including canceling home delivery, while reporting delays at its outpatient clinics and accident & emergency department. Some of these delays are ongoing. All radiology appointments for CT scans, ultrasounds and x-rays were postponed in the initial days of the outages.
Currently, the radiology department is only open for emergency appointments and is still unable to provide CT scans, X-rays, and ultrasounds.
The latest update issued on Dec. 29 showed recovery was ongoing with the hospital response team and outside support continuing to assess and contain the incident, while starting to “clean” its computer systems.
“The return to regular internet-based activity will occur in a phased approach across the hospital and is expected to commence during the first week in January,” officials said in a statement. For now, clinicians are leveraging manual operations.
The hospital is not able to issue new appointment dates during the outage, and patients are being urged to come to appointments with their medical paperwork, referral, or appointment slip for logging purposes.