Ransomware infects hospitals in Ohio, West Virginia

Written by

Ransomware has infected two hospitals in Ohio and West Virginia, a spokeswoman said Monday.

The attack affected the Ohio Valley Medical Center and East Ohio Regional Hospital, Karen Janiszewski, spokeswoman for parent company Ohio Valley Health Services & Education Corp., confirmed in an email to CyberScoop. Officials did not specify what kind of ransomware caused the incident.

The attack Friday prevented the two hospitals, which together have 340 beds, from receiving patients via ambulance through at least part of Thanksgiving weekend, Ohio’s The Times Leader reported. No patient data was compromised and the hospitals could accept walk-in patients, according to the paper.

The two hospitals are “the area’s only comprehensive behavioral and mental health services and board certified emergency services on both sides of the Ohio River,” which separates Ohio and West Virginia, according to their website.

This attack is only the latest to strike U.S. medical facilities. Health care organizations have been on the front lines of recent ransomware infections. Nearly a quarter of the 67 SamSam ransomware attacks in 2018, for example, targeted the health sector, according to cybersecurity company Symantec.

In a Facebook post Saturday, the Ohio and West Virginia hospitals said, “We apologize for the inconvenience and are continuing to work on the situation.”

We apologize for the inconvenience. And are continuing to work on the situation.

Posted by OVMC and EORH on Saturday, November 24, 2018

In the face of the persistent ransomware threat, medical professionals are prioritizing cybersecurity, but are under-resourced in their defenses, research shows.

Of the 400 medical professionals surveyed by the Chertoff Group and health care company Abbott, more than 90 percent said that securing patient data is a focus at their hospital. However, 75 percent of the doctors and 62 percent of the hospital administrators felt “inadequately trained or prepared” to mitigate cybersecurity risk.

Some organizations have responded to ransomware attacks by paying off the hackers: In January, after SamSam hit an Indiana hospital computer network, hospital officials paid $50,000 to unlock the data.

Beau Woods, a cyber safety innovation fellow at the Atlantic Council, said that health care organizations should take concrete steps to prepare for ransomware such as backing up data, updating clinical systems, and practicing the ability to function offline.

“Tools meant to improve patient care can impede it if not well safeguarded,” Woods told CyberScoop.

As for the pair of Ohio and West Virginia hospitals, the facilities’ IT security team was aiming to have the ransomware infection “resolved” by this past Sunday, Janiszewski told The Times Leader.

Whether the hospitals met that goal is unclear. The parent company has not answered multiple requests for clarification from CyberScoop.