Logan Health in Kalispell, Mont., has experienced three data breaches in the past five years. Those cyberattacks exposed the names, phone numbers and addresses of hundreds of thousands of patients. The hospital later settled a lawsuit related to the incidents for $4.2 million.
Caption

Logan Health in Kalispell, Mont., has experienced three data breaches in the past five years. Those cyberattacks exposed the names, phone numbers and addresses of hundreds of thousands of patients. The hospital later settled a lawsuit related to the incidents for $4.2 million. / Montana Public Radio

More devices than ever inside hospitals require an internet connection, everything from MRI machines and health records to heart rate monitors. The latest and best equipment can speed up and improve patient care, but connection comes with risk.

“If you can’t afford to protect it, you can’t afford to connect it,” said Beau Woods, a cybersecurity expert and founder of Stratigos Security.

Keeping up with the latest cybersecurity tools can be expensive, but it’s crucial for hospitals big and small. They’ve recently become prime targets for malicious hackers because of valuable patient data that can be sold or held for ransom.

These attacks on health care organizations can be financially crippling, but the costs can go further. Federal reports and studies show cyberattacks slow doctors’ ability to treat patients and can even force hospitals to send patients elsewhere for treatment, delaying care and putting patients’ lives at risk during events such as strokes.

Cyberattacks against the U.S. health care sector more than doubled between 2022 and 2023, according to the Cyber Threat Intelligence Integration Center.

In February, a devastating attack on Change Healthcare, a company that processes health care payments, wreaked havoc across the U.S.

Pharmacies couldn’t verify and process prescriptions, and doctors were unable to bill insurers or look up patients’ medical histories.

Andrew Witty, CEO of UnitedHealth Group, testifies at a Senate Finance Committee hearing about cyber attacks on health care on May 1, 2024, on Capitol Hill in Washington. Hackers attacked his company's subsidiary, Change Healthcare, in February, triggering a massive disruption for medical claims and payments. UnitedHealth Group eventually paid a $22 million ransom in bitcoin, Witty said.
Caption

Andrew Witty, CEO of UnitedHealth Group, testifies at a Senate Finance Committee hearing about cyber attacks on health care on May 1, 2024, on Capitol Hill in Washington. Hackers attacked his company's subsidiary, Change Healthcare, in February, triggering a massive disruption for medical claims and payments. UnitedHealth Group eventually paid a $22 million ransom in bitcoin, Witty said. / AP

In May, a ransomware attack hit Ascension, a Catholic health system with 140 hospitals in at least 10 states. Doctors and nurses working at Ascension reported medication errors and delays in lab results that harmed patient care.

On June 10, the Biden administration announced some protections meant to tighten cybersecurity in healthcare.

The announcement included a plan for tech companies Google and Microsoft to offer various cybersecurity services for free or at discounted prices, to hospitals that otherwise could not pay for the latest and best cyber-defenses.

Properly protecting against a cyberattack can be especially hard for smaller hospitals.

“For a couple of reasons: It is expensive, and to find the IT professionals, they have the same kinds of problems with recruiting people to be in the more rural communities,” said Bob Olson, president and CEO of the Montana Hospital Association.

Many high-end cybersecurity tools have been mostly marketed to larger hospital systems and cost at least six figures, said Lee Kim, a cybersecurity expert with the Healthcare Information and Management Systems Society.

Only recently have IT companies begun marketing these products to mid-size and small hospitals, Kim added.

That’s why Kim and other cybersecurity experts believe the White House’s recent announcement is a significant and necessary development. Google and Microsoft will offer one year of free security assessments and discounts of up to 75% on their cybersecurity tools for small and rural hospitals.

“You’re never going to get a level playing field here, but we got to be able to do at least a bottom tier level of protection to try to keep our communities safe,” said Alan Morgan, CEO of the National Rural Health Association.

Morgan helped broker the deal with the tech giants. While these services are temporary, he thinks many hospitals will utilize them.

Others expressed concern that the offer only lasts for a year. Without support in the future, small hospitals could again struggle to pay for adequate cyber-defenses, said Amie Stepanovich, an expert at the Future of Privacy Forum

Stepanovich would also like the federal government to offer more direct help to hospitals after attacks, and more assistance with recovery.

She predicts cyberattacks will continue to happen at both big and small hospitals because a facility’s cyber-defenses have to be perfect all the time. “All the attacker needs is to find the one hole,” Stepanovich said.

Small hospitals have increasingly become targets.

Logan Health in Kalispell, Mont., experienced multiple data breaches, and settled a lawsuit after a 2019 hack of hundreds of patients’ data.

St. Vincent hospital in Billings, Mont., and St. Patrick in Missoula, Mont., have also experienced data breaches.

A hospital in Gillette, Wyoming was forced to divert patients to other hospitals in 2019 during a cyberattack because it couldn’t properly treat them.

Beau Woods said attacks like those in Wyoming, and other rural areas, are dangerous because the next closest hospital could be 30 minutes or more than an hour away.

That puts patients with acute and life-threatening conditions such as strokes or heart attacks at greater risk of permanent damage to their health or even death.

Woods helps lead cyberattack simulations for providers through CyberMed Summit, a nonprofit focused on cybersecurity in the health care industry.

During a recent simulation, Arman Hussain, a medical resident at George Washington University, practiced what it would be like to treat two patients, one experiencing a stroke and the other a heart attack.

During the simulation, Hussain had to treat manikins standing in for patients. Nurses and other staff members followed a pre-set script, but Hussain was kept in the dark about what problems he would encounter.

“In both of those scenarios, our ability to use the computer and some of our ability to use vital monitoring software went away in the middle of the simulation,” he explained.

Hospitals have developed some workarounds for such situations. Doctors and nurses can take manual readings of heart rate and blood pressure, instead of relying on networked devices. They can use messengers to send written orders to the lab or pharmacy.

But other tasks, such as getting lab results or dispensing crucial medications, can be extremely challenging if a hospital processes those through a computer system that’s shut down.

Not knowing a patient’s allergies or being able to access other relevant information from their digital medical files can also lead to medical errors.

Every hospital should provide this type of training, Hussain said after the simulation. They should also create plans for cyberattacks so patients can get the lifesaving care they need.

“Putting yourself in that scenario is going to bring forth all these different logistical questions you would have never thought of, if were you not in that situation itself,” said Hussain.

This article comes from NPR's health reporting partnership with MTPR and KFF Health News.