Health care facilities in rural areas, including Montana and Wyoming, are more often the target of cyberattacks than in the past. YPR news’ Jess Sheldahl spoke with Ryan Levi, producer for the national health policy podcast Tradeoffs, about ransomware attacks aimed at the healthcare industry.
JS: So, thank you so much for your time today.
RL: Thanks for having me.
JS: So to dig into this topic of ransomware attacks against healthcare systems, you follow Karen Sprenger, COO and chief ransomware negotiator for LMG security in Missoula, Montana. Can you tell me a little more about what she does?
RL: Yeah, So basically her job is to protect companies from cyberattacks.
Now, ideally, that's something she's doing proactively. And so that's, helping them identify weaknesses, set up their defenses. They run kind of drills with companies, these what they call tabletop exercises to plan for what you will do if a ransomware attack happens. But unfortunately a lot of the times the proactive doesn't work or somebody didn't have that proactive defense in place.
And so she's been brought in after an attack has happened, what they call incident response. And so the company has been attacked, the hospital clinic, whatever it is, has been attacked. And Karen is brought in to assess the damage, kind of stop the bleeding, protect what's still there and advise them on how they should respond.
And oftentimes that includes negotiating ransoms with the cybercriminals who have attacked, this clinic or this hospital or whatever, whatever it may be. Karen's done, she told us, more than a hundred ransom negotiations in just the last five years, more than 30 of those in healthcare, she's literally emailing or chatting chatbox with someone usually on the other side of the world and trying to figure out how to help this clinic or hospital, get its data back, get control of it, systems back and let them get back to doing their jobs of helping people and saving lives.
JS: Since hospitals and other healthcare facilities tend to be smaller in a lot of places in our listening area, there's a lot less data available to take for ransom. So why should people in rural Montana or Wyoming care about these kinds of cyberattacks?
RL: So, one are the big points that Karen emphasized to us was that except for, a few of the biggest ransomware gangs who like to go after big targets, like the Colonial Pipeline from a few months ago or a major hospital, most cyber-criminals really, aren't all that discerning about who they're targeting.
And they oftentimes don't even know that they've hit a healthcare facility.
Karen Sprenger: What's important to understand is except in the cases of things like Colonial Pipeline, they are not targeting specific institutions, they are casting a wide net. And so that feeling of security that we get. Is false. They are just looking for a vulnerability and if they find it they're coming in.
RL: The other reason for concern, according to Karen and other cybersecurity experts that we talked to, is that smaller facilities are actually the most vulnerable.
They're the ones that have the fewest resources to put towards cybersecurity. And especially, if they're in a rural area with not a lot of other facilities or hospitals around the impact of that ransomware attack, which can shut down facilities. And force them to divert ambulances or slow down care.
That can be a lot bigger because there just aren't other places nearby where people can go to get care.
JS: I know this year, actually in Hamilton, Montana, Sapphire Community Health had to close down operations briefly because of a ransomware attack. And in Hamilton, there's only 4,700 people. There was about 4,000 people who had their data exposed and luckily they were able to shut down the systems and recover the patient data. So they didn't have to pay a ransom, but still those 4,000 people have some very sensitive information exposed. And that was just in February of this year. So this is something that is happening in Montana and Wyoming in some cases.
Also, I mean, Kalispell regional healthcare had a data breach back in 2019 that exposed information for about 130,000 people.
And they ended up reaching a settlement last year with those affected for $4.2 million. So hospitals have a lot to lose financially in these situations besides just paying a ransom. Can you tell me a little more about ransomware demands and how negotiators navigate the money involved with these kinds of cyberattacks?
RL: Yeah. So the demand have also been increasing a few years ago. These were often a few thousand dollars or tens of thousand dollars. Now the opening demands are often hundreds of thousands or even a million dollars, or more that are being demanded. And one of the roles of someone like Karen is to kind of level set with whoever is making that demand.
So, if they are, if she's representing a small hospital in Wyoming or Montana, that really just doesn't have that much money, she can tell them that and say, Hey, this hospital, this clinic, they're interested, they're willing to pay because they want to get their systems back, but they don't have a million dollars that they can send to you. Let's work together. How can we actually get this to a reasonable level and kind of.
As she's doing that, she's also talking with the hospital or the clinic and kind of saying, what can you do, pay here? Do you have insurance that can cover some of this? What are the options? So she knows what she's dealing with and what options she has.
And the other big thing to mention here in kind of one of the things that experts say has really contributed to this rise in ransomware attacks is Bitcoin and cryptocurrency, which has made this so much easier for cybercriminals because it's this untraceable way that they can get a lot of money really quickly and pretty easily avoid detection and punishment and, prosecution from the authorities.
JS: So money sometimes gets involved in these cases when pain for proactive or reactive courses of action to deal with these kinds of attacks.
For example, Montana state university just started a new program to train us air force and us space force cadets in cybersecurity, and they're getting $165,000 out of $1.5 million from a department of defense program aimed at cybersecurity. What other steps are being taken by government officials or hospitals and other healthcare organizations themselves to prevent ransomware attacks?
RL: So it's definitely something that is on everybody's mind right now. So in Congress, there've been multiple committees and hearings that have been talking about this recently.
The president, Joe Biden has mentioned that it's talks about this, especially in connection to the Colonial Pipeline attack, has issued an executive order to increase the federal government's cybersecurity defenses. And also his administration has sent out information to companies telling them how they can better protect themselves.
So this is something that is definitely on the mind of government leaders and for hospitals and the healthcare organizations, they are really thinking about this more than they used to. Cybersecurity used to be something that's kind of like, we need to deal with it, but it's, it's somebody else's problem.
Right? It's the IT guy's problem. And now with this rise in the number of attacks, and especially with ransomware attacks that can shut down. Basically shut down a hospital or clinics ability to do their job and do what they're there for that has really raised it to the level of, oh no, this is everybody's problem.
This organization, the boards of directors and executives are really looking at this and saying, okay, we need to act now, what do we need to do? And so, there's not great data on exactly what's happening here, but anecdotally from people we were talking to there is more investment, more money going toward cybersecurity at hospitals and health systems.
So there's been more investment there. Companies like Karen's who kind of work on the proactive side that you're talking about trying to prevent this stuff. They are seeing an increase in healthcare clients trying to protect themselves on the front end. And then we're also seeing a big lobbying push from particularly hospitals, trying to get the government to send more money to the healthcare industry, to help particularly smaller hospitals and clinics and organizations beef up their cybersecurity defenses.
Because as I said before, those are the organizations that are really most at risk, most vulnerable and have the fewest resources to deal with this on their own.
JS: Well, thank you, Ryan, for sharing your reporting with us.
