Ohio medical center offline following another security incident in the health sector

Written by

A cybersecurity incident has forced the computer systems of an Ohio medical center offline for multiple days and prompted the clinic to postpone elective procedures for patients.

A statement Tuesday from the Ashtabula County Medical Center, which includes a hospital of more than 200 beds, said the emergency department remains open and that outpatient care has continued as outside security experts investigate the disruption.

The medical center did not specify the cause of the security incident, though Wired reported that ransomware was the cause. A spokesperson for the medical center did not respond to a request for comment Tuesday. NBC News first reported on the medical center’s statement.

The disruption at Ashtabula County Medical Center comes as Universal Health Services, which describes itself as one of the largest health care providers in the U.S. grapples with a suspected ransomware attack.

In what has become a familiar refrain in health care organizations’ response to cyberattacks, the Ashtabula County Medical Center said it was implementing back-up plans for operating and that patient data didn’t appear to be compromised. “The safety of our patients and caregivers is always our highest priority and has not been affected by this disruption,” said Michael Habowski, the medical center’s CEO.

The growing dependence of health care facilities on information technology, along with the strain on resources due to the coronavirus pandemic, have made the sector vulnerable to criminal hacking. Earlier this month, a patient in Germany died after being turned away from a hospital that was hit by another ransomware attack.

Allan Liska, a ransomware specialist at threat-intelligence firm Recorded Future, counted more than 71 publicly reported ransomware attacks on health care providers this year — more than in all of 2019.

“Ransomware actors go after health care providers because they are easy, and profitable, targets,” Liska told CyberScoop. “While there are some ransomware groups that won’t target hospitals, most prefer the money and don’t care about the consequences.”