The 3-hospital system in New York has instituted downtime protocols. What would your organization do?
The bad news came around midnight March 18: Finger Lakes Health had been hacked, and “specific electronic systems” would remain encrypted unless the health system paid the ransom. As of this afternoon, it was still running without those digital resources, according to an announcement posted on Facebook.
Finger Lakes Health runs 3 hospitals, 4 long-term care facilities, and roughly 15 primary care and specialty medical practices in 4 counties in central New York, according to the group’s website. How many patients it serves is unclear, but the counties in which it operates are home to a total of about 261,000 people, according to US Census data.
“There is currently NO indication that patient or employee information has been compromised,” Finger Lakes Health wrote today.
The ransomware attack—the precise variety of which remains a mystery—has affected the health system’s daily operations. Earlier today, for instance, it noted that its physician practices were “experiencing some technical difficulties” that “impacted” phone and patient portal access, according to a separate post. But it didn’t end there.
“We immediately implemented our manual downtime protocol and procedures, which we have practiced for circumstances when computer access is limited,” Finger Lakes Health noted. “We, like many other health systems and businesses, have prepared for this inevitability due to the increase in these types of incidents.”
Whether such an assault is inevitable, however, remains a question. Healthcare and cybersecurity observers have long been shouting down the industry’s overall lack of preparation to guard against black-hat hackers. Some have accused healthcare organizations of not spending enough money or hiring the right people to build stronger defenses; others have claimed that crippling ransomware attacks are indeed unavoidable. Still, the scientific and anecdotal evidence that cybersecurity is a major problem for healthcare is striking.
Even so, Finger Lakes Health’s adherence to downtime protocols could make it among some of the luckier (or smarter) health systems to suffer a ransomware attack. Across the country, during nearly every health-tech conference, speakers joke about how many younger clinicians don’t know how to, say, fill out a paper medical record. Their oft-repeated point: Healthcare must better prepare for these not-so-rare incidents. Finger Lakes Health, meanwhile, praised their physicians for their performance during a crisis.
“We are working with law enforcement and security professionals to return to non-manual operations as quickly as possible,” the health system concluded. “We will continue to place patient/resident care at the center of our decisions.”
The institution didn’t mention the name of the individual or group that’s targeting their electronic equipment or which technologies are shut down.