Cyberattack of New York hospitals prompts diversion of patients

A New York health system says a cyberattack has been discovered at two hospitals and a nursing home, adding to the large number of breaches at health organizations this year.

The Westchester Medical Center Health Network said Friday that the attack has affected the HealthAlliance of the Hudson Valley, including HealthAlliance Hospital, Margaretville Hospital and Mountainside Residential Care Center.

As a result of the attack, Westchester said the system would temporarily divert ambulances from HealthAlliance Hospital Friday night. Westchester said it would be shutting down all IT systems at the two hospitals and nursing home as part of the process of restoring the network.

“We expect the systems to be offline for approximately 24 hours, then we will begin standing up our systems on a rolling basis – a process we expect will extend through the weekend,” the system said in a news release.

• Read more: Emerging cybersecurity threats in healthcare | Special report

HealthAlliance Hospital will remain open but the system said ambulances will be diverted and patients will be taken to other medical facilities. The hospital is also looking at possibly transferring some patients in the hospital to other facilities or to patients’ homes if it’s feasible.

Patients arriving at HealthAlliance Hospital will be treated and released if possible. For patients requiring more care, the hospital will stabilize them and transfer them to other facilities in the system.

“As always the care for residents in our community is our primary concern, and the need to divert ambulances and transfer patients has been communicated to all local EMS operators, potentially impacted medical facilities, elected officials, the New York State Department of Health, and patients’ families,” Westchester said in the release.

Westchester said the system has notified the FBI and other law enforcement agencies, and the organization is working with a cybersecurity company to determine what systems have been affected.

“We are working to resolve the issue as soon as possible and regret any inconvenience,” the system said.

The New York system joins a growing list of hospitals and health organizations that have suffered cybersecurity attacks this year.

More than 220 cyberattacks targeted hospitals and health systems in the first half of 2023, according to the American Hospital Association.

Analysts say 2023 could be a record-setting year in terms of the number of victims of health data breaches. More than 40 million Americans were affected by breaches of health information during the first half of the year, according to Critical Insight, a cybersecurity firm.

Cybersecurity experts say ransomware groups target hospitals because health data is highly valuable, and health systems are willing to pay to restore systems and serve patients. Authorities urge hospitals to avoid paying ransom, but cybersecurity experts acknowledge it’s a tough choice for hospitals.

• Read more: Paying the ransom: Hospitals face hard decisions in cyberattacks

Cindi Carter, global chief information security officer at Check Point Software Technologies, a cybersecurity firm, says hospitals need to think about cybersecurity in terms of protecting their patients.

“Above all measures, healthcare organizations should take a preventative approach to their cyber security practices, much in the same way that the five rights of medication ensure patient safety: the right patient, the right drug, the right dose, the right route of administration, the right time,” Carter said in a statement.

The Joint Commission published some guidelines in August for hospitals and health systems to respond to cyberattacks and continue caring for patients. Hospitals are urged to devise plans to continue patient care without critical systems for an extended period.

“Organizations should be prepared to have life- and safety-critical technology offline for four weeks or longer,” the commission suggests.

Cybersecurity experts have studied the effect of attacks on patient care at health systems.

When Scripps Health suffered a ransomware attack in 2021, the impact went well beyond the health system in San Diego. The attack on Scripps disrupted operations at nearby hospitals in San Diego, as stroke patients had to be transferred to other facilities and emergency departments saw more traffic, according to a study published in May by Jama Network Open.

Several cybersecurity experts talked with Chief Healthcare Executive® about emerging threats for hospitals and health systems.