Tim Stanley
Tulsa World Staff Writer
The ransomware attacks that have affected two of the Tulsa-area’s trio of large private health systems are part of a national trend that’s not going away anytime soon, cybercrime experts say.
“I don’t want to be entirely fatalistic. Not every system gets attacked,” said Tyler Moore, chair of the University of Tulsa’s School of Cyber Studies. “But these are profit-motivated criminals. Hospitals are strongly incentivized to pay the ransom, and criminals stick to what works.
“It’s just a matter of time before they’re going to find the next one.”
Four weeks after Ascension was hit with a ransomware attack that affected its St. John Health System, it reported Friday that its Oklahoma hospitals’ electronic health records system was finally back online.
People are also reading…
The attack was discovered May 8, with Tulsa’s Ascension St. John emergency room being placed on divert status for about a week.
Last fall, Hillcrest HealthCare System had to reschedule or divert some patients after its parent company, Ardent, suffered a ransomware attack.
The attacks are part of a trend making headlines nationwide, as cyberthieves hack into hospital systems and essentially hold their data and networks hostage in exchange for ransom payments.
“It’s highly lucrative,” Moore said.
Hospitals and municipalities — the city of Tulsa experienced its own attack in 2021 — have been favorite targets since ransomware became a reality two decades ago, he said. And it’s only grown worse with the development of cryptocurrency, which made collecting ransom payments easier.
But the parent companies of Hillcrest and Ascension St. John make attractive targets for other reasons, as well, he said.
“They are part of multistate systems, and I don’t think that’s a coincidence,” said Moore, Tandy professor of cyber security at TU. “With a huge multistate system, there’s many more potential entry points for attackers. Also, they are a more attractive ransomware target, frankly. They can pay more than a smaller hospital system.”
Tulsa’s other big private system, Saint Francis Health System, is wholly owned and operated in Tulsa and has so far avoided a ransomware attack.
Moore said: “I wouldn’t bet the farm that (Saint Francis) won’t be hit, but I think it’s certainly more likely that the others would be, and it’s just because they are big, multistate systems.”
Because of the nature of what hospitals do — holding people’s health and even lives in their hands — the pressure is on them to resolve the situation quickly, said Justin Miller, a retired U.S. Secret Service cyberfraud investigator who now teaches at TU.
Because of that, cyberthieves know that most of the time their ransom demands will be met.
“But we don’t want to promote paying the ransom because it just perpetuates the problem,” said Miller, TU associate professor of cyber studies.
“What ransomware victims don’t really understand is — say, you pay the ransom and get access back to your networks with all your patient records, all that (personal information). I guarantee you your data has been copied and is now being sold on the dark web.”
Miller said the best way for organizations to minimize the impact of a ransomware attack — and even avoid having to pay the ransom at all — is to have in place a robust backup and recovery system.
This is a system that regularly creates and stores copies of data, which would allow the organization to restore its network to a point before the attack.
“No cybersecurity program is foolproof,” Miller said, “but if we have the right people in place and we’re backing up the data through a segmented process, then if we do get attacked, we can take everything down, bring up a whole clean shell and restart operations. Kind of like with a power outage.”
Such a system, though, may be too costly and complex for many organizations, he added.
“It requires a lot of manpower and a lot of money,” he said.
Either way, planning ahead is a must, Miller said.
“Invest in proper cybertraining, plan for cyber event readiness, have a solution and be resilient,” he said.
He added that hospitals are growing “more and more savvy” and are fending off certain cyberattacks.
“But eventually one just seems to make its way through,” Miller said. “It doesn’t matter how robust your cybersecurity processes are — it’s a human that uses it. When that human makes an error, that technology has been compromised.”
“Usually something gets stolen or someone gets phished — they answer an email and give up information they shouldn’t have given up.”
For organizations like health systems, the issue is further complicated by their use of third-party vendors.
As for the specifics of what happened with Ascension or Ardent, it’s unlikely they will ever be made public.
“It’s hard to say, really,” Moore said. “But as they investigate I’m sure they will find that there was some problem and weakness in their security that allowed the attack to succeed.”
“This is something that can happen to any system,” Moore added. “So hospital systems need to be vigilant. From a hospital’s perspective, it’s about managing that risk and making it less likely to occur. And there are things you can do to make it less likely.”
The Tulsa World is where your story lives
The Tulsa World newsroom is committed to covering this community with curiosity, tenacity and depth. Our passion for telling the story of Tulsa remains unwavering. Because your story is our story. Thank you to our subscribers who support local journalism. Join them with limited-time offers at tulsaworld.com/story.
