TAMPA, Fla. (WFLA) — The American Hospital Association maintains that cybersecurity risks are a major problem for health care organizations, mainly due to just how much information they have on file, a lot of which is “of high monetary and intelligence value” to cyber thieves and “nation-state actors.”
On Thursday night, Tallahassee Memorial Hospital’s online systems were put under siege and targeted for what appeared to be a ransomware attack, bringing the risks of hacked hospitals closer to home for Floridians.
While the hospital’s IT security team shut down its network to quarantine the attack, and by doing so turned off all non-emergency procedures, it took three days for the hospital, and its larger system, to resume normal operations.
Tallahassee Memorial is part of a larger network, Tallahassee Memorial HealthCare. The not-for-profit system has been in operation since 1948 and now serves 66 locations in North Florida, South Alabama, and South Georgia, across 21 counties.
The Feb. 3 IT security issue, as TMH is describing it, impacted IT systems, leading to the system diverting emergency services and canceling outpatient and non-surgical procedures until Monday. At the time, TMH still accepted Level 1 trauma patients. The company also got in contact with law enforcement in order to work on investigating the attempted intrusion.
Still, TMH said operations remained impacted even as resumed operations expanded.
According to a Feb. 6 publication, surgical procedures are still limited and offices are using paper documentation for registration, admission, and filling prescriptions, advising patients to expect some delays. Some emergency services patients are still being diverted.
Part of the issue with the IT security attack is how much of a hospital’s system is connected to the internet, in what’s known as the Internet of Medical Things, or IoMT.
For some systems, if a hacker can get into a computer, they can get into everything, from patient records to billing information, to even controlling some medical equipment used for critical health services.
The National Institute of Health said remote patient monitoring, screening, and telehealth treatments have helped change the healthcare system to focus on “early diagnosis, prevention of spread, education and treatment and facilitate living in the new normal.” However, the integration creates its own challenges.
“Mass adoption seems challenging due to factors like privacy and security of data, management of large amount of data, scalability and upgradation etc.,” NIH reported, adding later in the study that “several challenges and implications exist today that need to be addressed before mass adoption of IOMT for instance privacy and security of data, data management, scalability and upgradation, regulations, interoperability and cost efficacy.”
Data privacy and security remains a challenge due to the “huge volume of sensitive health data” for patients, as well as its integration in patient monitoring and system management, according to the NIH.
Wipro, a technology service and consulting company said that IoMT devices can range anywhere from defribrillators to patient monitors to even oxygen pumps and nebulizers. They said “implementing apt security measures is crucial” to ensure patient data safety.
However, researchers say security breaches can also lead to loss of life in the healthcare sector.
“As most IoT devices weren’t developed with security in mind, they are very vulnerable to security breaches. And you can imagine that such compromised security could lead to untold chaos and loss of lives, particularly in the healthcare sector,” according to Richard van Hooijdonk, a self-described futurist and technological implant proponent. “The proliferation of IoMT devices and their lack of security, combined with ubiquitous internet connectivity significantly expands the scope for attacks, making healthcare one of the most ‘popular’ targets for cybercriminals.”
Bringing us back to Tallahassee, a TMH spokeswoman said in part on Tuesday that their staff were working with “outside experts and state and federal agencies to investigate the cause of the event and safely restore all computer systems as quickly as possible.”
More broadly focused on Florida and the rest of the country, Jotform did an analysis of the United states, focused on ranking them by healthcare records hacks.
According to the analysis, made by compiling information from the U.S. Department of Health and Human Services, the U.S. Census Bureau, and a report on data security by IBM, Florida is among the 10 states most at risk for health information breaches.
Jotform reported that while record breaches are at times due to mismanagement by healthcare providers, the majority were “overwhelmingly” breaches from hacking incidents. 80% of record breaches in 2022 were from hacks.
Florida had the seventh highest amount of reported records affected, and highest estimated costs, of all 50 states due to hacking of medical and health records, according to the Jotform ranking.
| Rank | State | Individual Records Affected | Estimated Costs |
|---|---|---|---|
| 1 | Texas | 4,957,050 | $738.6 million |
| 2 | Wisconsin | 4,498,306 | $670.25 million |
| 3 | Pennsylvania | 3,063,706 | $456.49 million |
| 4 | Massachusetts | 2,458,139 | $366.26 million |
| 5 | Colorado | 2,435,269 | $362.86 million |
| 6 | New York | 2,374,743 | $353.84 million |
| 7 | Florida | 2,254,815 | $335.97 million |
| 8 | California | 2,002,177 | $298.32 million |
| 9 | Michigan | 1,925,438 | $286.89 million |
| 10 | Illinois | 1,833,579 | $273.2 million |
According to federal records, 1.8 million Floridians were impacted in 2022, including in parts of Tampa Bay.
| Covered Entity | State | Entity Type | Individuals Affected | Breach Date | Breach Type |
|---|---|---|---|---|---|
| Ravkoo | FL | Healthcare Provider | 105,000 | 01/03/2022 | Hacking/IT Incident |
| South Walton Fire District | FL | Healthcare Provider | 25,331 | 11/15/2022 | Hacking/IT Incident |
| OCEANVIEWS OPTICAL INC | FL | Healthcare Provider | 2,000 | 11/03/2022 | Hacking/IT Incident |
| Seredor Centers, Inc. | FL | Healthcare Provider | 2,500 | 10/08/2022 | Hacking/IT Incident |
| Landmark Management Services | FL | Healthcare Provider | 501 | 09/15/2022 | Hacking/IT Incident |
| Synergic Healthcare Solutions, LLC d/b/a Fast Track Urgent Care Center | FL | Healthcare Provider | 258,411 | 07/12/2022 | Hacking/IT Incident |
| First Step of Sarasota, Inc. | FL | Healthcare Provider | 1,858 | 02/25/2022 | Hacking/IT Incident |
| Jacksonville Spine Center, P.A. | FL | Healthcare Provider | 38,000 | 02/10/2022 | Hacking/IT Incident |
| North Broward Hospital District d/b/a Broward Health (“Broward Health”) | FL | Healthcare Provider | 1,351,431 | 01/02/2022 | Hacking/IT Incident |
| Foundcare, Inc. | FL | Healthcare Provider | 14,194 | 12/16/2022 | Hacking/IT Incident |
| Orlando Health | FL | Healthcare Provider | 3,662 | 11/18/2022 | Hacking/IT Incident |
| Phoenix Programs of Florida, Inc. | FL | Healthcare Provider | 6,594 | 10/21/2022 | Hacking/IT Incident |
| Bonita Springs Retirement Village, Inc. | FL | Healthcare Provider | 554 | 09/19/2022 | Hacking/IT Incident |
| Florida Springs Surgery Center | FL | Healthcare Provider | 2,203 | 08/01/2022 | Hacking/IT Incident |
| Total | 1,812,239 |