From the Desk of the CEO

Empowering Pharmacy Voices, Inspiring Change

Discover insights, stories, and expertise from pharmacists shaping the future of healthcare. Explore thought-provoking discussions, industry trends, and personal experiences that define the pharmacy profession.

Hospital cyberattacks on the rise, no hospital too small to be vulnerable

Ransomware Attacks

Sonya Collins

Graphic illustration of a laptop computer displaying a threatening e-mail.

One in three health care organizations worldwide reported falling prey to a ransomware attack in 2020. In this type of cyberattack, software that is downloaded onto a health-system computer—typically by an unwitting authorized user—encrypts the files that run the computer. Hackers then demand a ransom from the hospital to decrypt the files and relinquish control of the computers.

Cyberattacks in general, which include ransomware attacks and a variety of other data and security breaches, rose steeply to hit an all-time high in 2021. In the first 6 months of that year alone, there were 2,084 reports of ransomware attacks on U.S. hospitals.

“COVID-19’s been hard on IT departments. You have more ports open to allow people to work remotely and for doctors and patients to use the network to communicate in telehealth appointments,” said Dean Sittig, PhD, a professor at UTHealth Houston School of Biomedical Informatics. This means more vulnerabilities, he adds. “We’ve lost some security in exchange for convenience and ease of access.”

And the numbers, Sittig says, don’t even tell the whole story. Cyberattacks are notoriously under-reported. “People hide ransomware attacks. They keep it quiet and hope no one will know because they are embarrassed.”

No one is immune

Cyberattacks can happen to any health system, says Oscar Santalo, PharmD, MBA, MHA, BCPS, pharmacy manager, AdventHealth in Winter Garden, FL. “Everybody from super-large health systems with all the right resources to independent community hospitals also.” Santalo coauthored a JAPhA paper on pharmacist preparedness for cyberattacks, which published online in April 2022.

An April 2022 report in STAT by Marion Renault revealed that these attacks are on the rise at rural hospitals.

“You can’t get as much money from a small hospital, but you can still get a couple thousand dollars, and since you didn’t really have to do anything for that money, it’s not bad money,” Sittig said.

To carry out a cyberattack, hackers use malware (any type of software intended to do harm) to infect a large number of internet-connected devices and create a botnet (a robot network) without the users’ knowledge. The malware uses the infected computers to scan other computers for vulnerabilities to find potential prey to infect with ransomware. Because it’s relatively cheap to use these unwitting computers to scan others for weaknesses, the botnets will check every network they can without discrimination.

“Little hospitals, private doctors’ offices, pharmacies—they are all vulnerable because they are all on the network. Everyone’s on the network all the time. A pharmacy can’t do business without being on the network,” Sittig said.

Cyberattack and downtime preparedness

There’s no failsafe method to prevent a cyberattack altogether, but health systems can take important steps to reduce the fallout. Meaningful use laws as well as CMS and Joint Commission regulations require every hospital to have certain measures in place to prepare for and protect against cyberattacks.

“If things go down, you need to know all the automated systems and processes that will be impacted and what manual processes you will have in place to ensure patient safety because you’re still going to service patients throughout the downtime, so that has to be at the forefront,” Santalo said.

The JAPhA commentary by Santalo and colleagues details one hospital’s complete downtime plan. The take-home message, he says, is that pharmacies and other hospital departments must keep a designated downtime computer updated with the most recent version of their downtime plan and rehearse the plan on a regular basis in the same way they periodically run through other disaster procedures and protocols.

“You need to know who is taking over which tasks; who owns, for example, patient charts. Every hospital might be different, but you have to have clearly defined roles and know where to find all the necessary resources.” ■

Resources for protecting against cyberattacks and preparing a downtime plan

SAFER Guides on HealthIT.gov
Sittig DF, Singh H. A socio-technical approach to preventing, mitigating, and recovering from ransomware attacks. Appl Clin Inform. 2016.
Santalo O, Perez G, Lorich C, et al. Defining key pharmacist and technician roles in response to a hospital downtime or cyberattack. JAPhA. 2022.