June 13, 2023
A rural hospital in Illinois is closing, and experts have pointed to ransomware attacks leading to closure as one of the contributing factors. This incident is notable as it is the first time hospital leadership has explicitly cited a ransomware attack on a rural Illinois hospital, particularly St. Margaret’s Health.
Formed in 2021 through the consolidation of Illinois Valley Community Hospital in Peru and St. Margaret’s Hospital in Spring Valley, the hospital has made the difficult decision to cease operations at all its hospitals, clinics, and related facilities across both locations.
Table of Contents
Financial Struggles and Ransomware Attack Leading to Permanent Closure
In a Facebook post, Suzanne Stahl, the chair of SMP Health, the parent organization of St. Margaret’s Health, informed employees and the community about the forthcoming closure.
According to Stahl, the closure was influenced by various factors, including the COVID-19 pandemic, a cyberattack on the hospital’s computer system, and a staff shortage. She expressed deep sadness regarding the situation, stating that sustaining their ministry has become nearly impossible.
Stahl also mentioned that financial challenges have become increasingly common among rural hospitals nationwide, resulting in closures. The University of North Carolina’s NC Rural Health Research Program reports that there have been at least 10 rural hospital closures in 2023, compared to seven in 2022.
Regarding the future of the Peru campus and its related facilities and clinics, Stahl revealed that SMP Health and OSF Healthcare have signed a nonbinding letter of intent. The agreement entails OSF acquiring the campus, with plans to reopen services at a later date.
Rural Hospitals: Longstanding Pressures and Vulnerabilities
Joshua Corman, Vice President of Cyber Safety Strategy at Claroty, expressed his concern, stating that the closure of the said rural Illinois hospital is disheartening and may not be an isolated case. He believes similar closures may occur among other medium, small, and rural hospitals vulnerable to cyberattacks. Corman emphasized the vulnerability of these hospitals, referring to them as “target-rich, but cyber poor,” and suggested that a single ransomware incident could push them towards closure.
Corman also highlighted the potential risks communities face relying on these hospitals, especially when seeking care for time-sensitive conditions. He mentioned that the lack of alternative care sites nearby could increase patient risks, as delays of minutes or hours can have significant consequences.
Erich Kron, Security Awareness Advocate at KnowBe4, viewed the closure of St. Margaret’s Health System as a cautionary tale for financially strained hospitals. He emphasized the importance of not compromising on cybersecurity measures, even when facing budget constraints. Kron stated that organizations often make the mistake of reducing cybersecurity budgets to cut costs, only to regret the decision when they experience the adverse effects of a cyber incident.
Kron advised hospitals in a similar position to allocate their cybersecurity budgets intentionally, focusing on low-cost protections against common breach tactics like email phishing attacks. Hospitals can enhance security by prioritizing such measures without significant financial burdens.
The Future of Rural Hospitals and Cybersecurity Challenges
Cybersecurity leaders in the healthcare industry are increasingly concerned about ransomware, phishing, and breaches, regardless of the size or location of their organizations. However, for rural hospitals, managing cyber risks can be even more daunting.
The following strategies may effectively address common issues and help strengthen a rural hospital’s security capabilities:
- Empower staff with cybersecurity training: Equipping hospital employees with knowledge about their roles in safeguarding the organization’s systems and data raises their awareness of common cyberattack tactics. This knowledge enables them to take proactive measures to thwart potential attacks effectively.
- Prioritize timely software updates: Hackers often scour recently published lists of system vulnerabilities, targeting systems that haven’t applied essential patches. Thus, it is crucial to deploy software updates promptly. Enabling automatic system updates also helps streamline this process, keeping your organization ahead of potential security threats.
- Conduct regular risk assessments: With technology, processes, and procedures constantly evolving, so do the associated risks. Conducting a comprehensive technology risk assessment at least once a year allows you to identify and address new and emerging threats.
- Establish robust data recovery mechanisms: An elaborate data recovery mechanism becomes paramount in a catastrophic breach that renders information systems unusable. Regularly backing up your critical systems and storing the backups in a secure remote location ensures data integrity and minimizes potential losses.
Stepping Up for Safety: Hospitals Prioritizing Cyber Defense
The limited cybersecurity resources of certain hospitals, particularly those in rural areas, can put the entire healthcare ecosystem at risk. Therefore, hospitals must work together to make the industry less vulnerable to cyberattacks.
While compliance is crucial, it does not automatically imply guaranteed security. Hospitals should aim for a higher level of cybersecurity beyond the minimum requirements set by current security rules and policies. On top of this, policymakers should continuously review and update regulations to keep up with the evolving threats.