Capital region medical center targeted by cyberattack


The Capital Region Medical Center broke its silence on Wednesday over an incident that has left its network and phone systems down for the past six days.

CRMC discovered an interruption early Friday morning in its network systems. He shut down his network for security reasons and opened an investigation into the incident. Investigators determined the breach was due to a cybersecurity incident.

“As our Information Security team works diligently to get our systems back online as quickly and securely as possible, nothing is more important to us than the health and safety of our patients and to continue to providing the care our patients expect, ”Lindsay Huhman, director of marketing and communications for CRMC, said in a press release. “Downtime procedures are in place for doctors, nurses and staff to provide care in these types of situations, and our staff are committed to doing everything possible to mitigate disruption and provide uninterrupted care. to our patients. “

Downtime procedures, Huhman said, are policies in place to continue to safely care for patients in the event of a partial or catastrophic network failure. However, she said, “each patient’s case is assessed individually to provide the best possible care.”

The American Hospital Association has researched cyber attacks and ransomware attacks against hospitals. In “Ransomware Attacks on Hospitals Have Changed,” the AHA reported that the attacks can lead to life-threatening incidents in hospitals. They threaten a hospital’s ability to provide care, putting patients at risk, the report’s summary says.

At the onset of the COVID-19 pandemic, cybercriminals used the pandemic as an opportunity to exploit, victimize, and profit from phishing emails and other cyber attacks on hospitals.

Laws are in place to deter such attacks. Prosecutors can use federal laws covering racketeering and corrupt organizations, money laundering, commercial extortion, homicide, and even terrorism to charge people accused of cyber attacks.

“These additional crimes carry much tougher penalties that are more consistent with the life threatening element presented by disruptive cyber attacks on hospitals,” the report said.

Federal laws allow the Treasury Department to impose financial penalties on foreign entities that carry out cyber attacks.

“Hospital leaders can play a more direct role in strengthening the sector’s cyber defenses by participating in and promoting public-private partnerships and other collaborative efforts,” the report said. “Sharing threat information and other joint efforts can reduce the likelihood of successful attacks and help organizations recover and resume operations faster. Both of these results decrease the financial incentive to carry out ransomware attacks. The AHA, the Center for Healthcare Information Sharing and Analysis, and the HHS-sponsored Healthcare Industry Cybersecurity Working Group have separately urged more public-private partnerships to improve. cybersecurity as part of a “whole nation” approach to defending against cyber threats. “

All healthcare organizations face the same threats and potential consequences of cyber attacks, the report says. All therefore have the same incentive to freely exchange information on threats.

Another AHA report, “The Growing Threat of Ransomware Attacks on Hospitals,” highlighted that one in three healthcare organizations worldwide reported being attacked by ransomware in 2020.

“The extent and impact of a successful attack can be enormous,” he said. “More than 600 healthcare organizations in the United States and over 18 million patient records were affected in 2020 alone at an estimated cost of nearly $ 21 billion.

“When Universal Health – a major hospital chain operating in multiple states – was attacked last fall, it had to move surgical patients and divert ambulances to other hospitals.”

It is not known whether patients’ personal information was breached in Friday’s attack. Huhman said that if investigators discover any personal or health information was involved in the incident, the hospital “will notify such individuals in accordance with applicable laws.”


Comments are closed.