Fraud Management & Cybercrime , Incident & Breach Response , Ransomware
Brooklyn Hospitals Decried for Silence on Cyber IncidentOne Brooklyn Health Systems Three Hospitals Systems Affected by Nov. 19 Hack
Patients and neighboring physicians are frustrated over a lack of transparency from a trio of Brooklyn safety-net hospitals involved in an ongoing cyber incident affecting electronic health records, patient portals and other systems.
Some systems at One Brooklyn Health System's three hospitals - Interfaith Medical Center, Brookdale Hospital Medical Center and Kingsbrook Jewish Medical Center - were taken offline Nov. 19 following an incident about which little is publicly known.
Sources tell Information Security Media Group that the organization has been tight-lipped with other area hospitals about the cause of the outage, which is suspected to involve ransomware.
One Brooklyn Chief Executive Officer LaRay Brown said in a Wednesday statement that the cybersecurity incident caused a network disruption and that "immediately upon discovering the incident, we took certain systems offline to contain the disruption."
"Our teams have been successful in restoring access to certain clinical applications, including limited access to electronic medical records and other critical systems for a significant number of our team members. Patient care has not been impacted as a result of this incident," Brown said.
A One Brooklyn Health System employee tells Information Security Media Group that the incident caused hospital phone systems to randomly call patient and emergency contact phone numbers to inform them broadly that the organization is dealing with a "network outage" but that appointments have not been canceled.
In a follow up email sent after this story was published, Brown tells ISMG those calls were not flukes. "The automated calls were intentional calls arranged by One Brooklyn Health to keep our patients - current and former - informed and to advise that we continue to be available for outpatient services," she says.*
The New York Post reported Tuesday that the hospitals are sending patients to other facilities but that One Brooklyn failed to notify New York Fire Department ambulance services to stop delivering emergency cases.
The hospital system's lack of transparency has frustrated leaders at other area hospitals, who are experiencing a sudden influx of patients and are fearful of falling for the same, unexplained attack, a New York medical system cybersecurity official told ISMG on condition of anonymity.
Brown tells ISMG in her follow up email that "a small percentage of emergency department patient transfers that have occurred since Nov. 19 because of the IT incident."
The effect of ransomware and related cyber incidents involving healthcare organizations can last for weeks, or even months.
Facilities affected by an October ransomware attack on Chicago-based hospital chain CommonSpirit were still dealing with IT outages for more than a month after the incident was detected (see: CommonSpirit Systems Still Offline One Month Post-Attack).
Axel Wirth, chief security strategist at security firm MedCrypt, says that one of the top lessons many healthcare sector entities have painfully learned in recent years is that they cannot assume that a cybersecurity event will be limited to a controlled environment - be it a single device, department or hospital.
"We need to consider - and plan and prepare for - impact across multiple clinical services, several departments, and even across regional hospitals. This is true for the technical aspect of the security event as well as the impact of shifting care delivery," he says.
Lack of Transparency Hurts
Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center, says a lack of transparency by healthcare organizations dealing with ransomware incidents is a common problem.
"Despite being a member of an ISAC, we still see organizations reluctant to share attack details when they are a victim of a cyber incident," he says.
Senior leaders at those organizations may not trust the anonymity and trust built into information-sharing processes and may be concerned about further exposure and negative reputational impact from unauthorized disclosures, he says.
"Given our incredibly litigious society, internal counsel at the impacted organization may also recommend against disclosure outside the company because it could possibly be used against the firm in future litigation," he says.
Many organizations do not realize that they have liability protections involving cyber information sharing under the Cybersecurity Information Sharing Act of 2015, he says. "We just need the government and society to create a culture that rewards sharing and does not punish the victim."
Weiss says that when H-ISAC learns of an incident affecting member and nonmember organizations, it offers them technical assistance and requests that they share the details of the incident.
"Organizations can share securely through Health-ISAC's Threat Intelligence Portal," he says. They can share anonymously and instruct Health-ISAC to share beyond the center if they choose, including other ISACs and U.S. government organizations.
"The attack techniques and subsequent information is incredibly useful in protecting corporate networks," he says.
*Update Nov. 30, 2022 22:16 UTC: Adds additional comment from One Brooklyn Health