Dan Draper
The consequences of the hack of Lurie Children’s Hospital
April 29, 2024
By Dan Draper
More than two months have passed since Lurie Children’s Hospital, the largest pediatric healthcare provider in Illinois, were first forced to confront a breach in its data systems. Rhysida, a ransomware gang, reportedly claimed responsibility for the cyber attack and announced that it had sold the entirety of the hospital’s stolen data, including patient information, for approximately $3.4 million on the dark web. The rat’s nest this left behind is difficult to fully quantify, but to describe the data breach of a healthcare provider that annually serves more than a quarter million children as anything less than devastating would be selling the fallout short.
After Lurie shut down most of its internet-connected equipment on Jan. 31, the assessment and recovery process from the breach began in earnest. Weeks passed before the hospital was able to restore its phones, email access or electronic health records. Lurie didn’t begin reactivating its Epic MyChart patient portal until early mid-March, and the restoration of patient data is still ongoing.
The consequences of cyberattacks on hospitals can be dire. When networks are shut down, physicians and support staff are cut off from critical tools and patients are at risk of suffering severe complications, and even death. Healthcare organizations are often targeted by ransomware attacks explicitly because of the sensitivity and importance of the data they handle. Bad actors know these organizations will typically pay a ransom in order to keep networks online and protect their data, and their efforts are only likely to gain momentum, and cause more loss and lethality, over time. What recourse do healthcare providers have?
A healthy approach to data and systems protection
Consider what we know about the optimization of the human body and the importance of routine health maintenance and daily care in keeping those biological systems online and operating at full capacity. You know the drill: brush three times a day, pop a multivitamin, cut back on red meat, take a walk around the block at lunch, get your rest. No one knows this stuff as well as physicians. So hospitals and other healthcare providers would do well to take a page from their own playbooks when approaching data and information systems protection.
That begins with cyber hygiene. Healthcare organizations should establish a daily (and, in some cases, more frequent) cyber routine to keep their systems and data “healthy.” Just as you and I are advised to get our exercise, eat more vegetables and generally adopt strong wellness habits, every organization that handles sensitive information should take appropriate steps to protect the integrity of their systems and security of their data.
In that same vein, healthcare organizations must make a priority of preventative care. You don’t need to be a physician or a heart patient to understand that hopping on the treadmill a few times a week is far easier before undergoing a triple bypass than it is starting an exercise regimen afterwards. The earlier that cybersecurity issues are addressed, the better off a hospital or care network will be. Being proactive – conducting checkups, training staff and implementing appropriate systems – helps organizations sidestep the damage, cost and reputational consequences risked by settling on a reactive approach. Investing in robust cybersecurity systems and adopting methods such as encryption-in-use enable organizations to “shift left,” or otherwise address potential cybersecurity issues in the pipeline before they grow into a problem that can bring an entire operation to a standstill.
The true cost of a failed cybersecurity plan
Every organization that relies on the internet to conduct operations and that collects or stores data should consider itself a potential target for a cybersecurity attack. But it is those organizations that neglect to plan for the threat of a breach and to protect against bad actors that are, by far, the most vulnerable among them.
Which makes the commitment to cybersecurity of healthcare organizations, specifically, exponentially consequential. Given the stakes, ownership and responsibility of healthcare cybersecurity should be considered just as important as healthcare itself. In the event of a healthcare data breach, the potential butterfly effect can be dramatic. Machines may no longer function, charts become unavailable, networks go dark. Patients may needlessly experience pain, suffer exacerbated long-term health complications and even face death. Poor cybersecurity can severely compromise a hospital’s day-to-day operations, backing up schedules, bottlenecking other local care systems, imperiling the public trust and possibly even leading to litigation.
But too many organizations seem to view cybersecurity as something of an afterthought, or a line item that can be squeezed as a cost-cutting measure. For-profit healthcare facilities are run by executives and board members who prioritize revenue. But in some ways, nonprofit hospitals – which outnumber profit-driven facilities by at least twofold – are in a tighter bind. For organizations bound to strict (and often modest) budgets, justifying up-front cybersecurity costs to protect against a breach that arguably may never come can be a difficult sell.
But as the case of Lurie Children’s Hospital demonstrates, all it takes is one breach – a crack in the foundation or a fissure in the damn of an organization’s cybersecurity – to cost it millions in data. And this doesn’t begin to account for the human toll, or an organization’s related financial and existential losses.
Because the source of a data breach is usually tied not to systemic failure but spending prioritization, the cybersecurity conversation must be transformed. Rather than settling on a reactive, “What now?” model, organizations must not only be encouraged to embrace a proactive approach to data protection – but also be presented with clear evidence of why it’s a more prudent and ultimately more cost-effective choice.
Keeping our bodies and our organizations healthy is a lifelong and tireless commitment. And anecdotal comparisons or the crunching of numbers on a balance sheet won’t necessarily clarify the risk-reward equation. Some people smoke and eat cheeseburgers, going on to live a long life. Similarly, not every healthcare organization with lagging cybersecurity support will be brought to its knees by hackers. But as data breaches continue to increase and cyberattacking groups grow more sophisticated, the risk and cost – not just ransoms, but the long-term effects on patients and hospital operations – come into sharper focus.
In the end, willful negligence in the name of lower up-front costs is a monumental gamble. Building a proactive cybersecurity infrastructure on a foundation of constant monitoring and maintenance, on the other hand, gives every organization its best chance to avoid potentially ruinous consequences. In cybersecurity as in healthcare, prevention is always a preferred strategy over after care.
About the author: Dan Draper is founder and CEO of CipherStash, a data security company that utilizes groundbreaking searchable encryption technology.
More than two months have passed since Lurie Children’s Hospital, the largest pediatric healthcare provider in Illinois, were first forced to confront a breach in its data systems. Rhysida, a ransomware gang, reportedly claimed responsibility for the cyber attack and announced that it had sold the entirety of the hospital’s stolen data, including patient information, for approximately $3.4 million on the dark web. The rat’s nest this left behind is difficult to fully quantify, but to describe the data breach of a healthcare provider that annually serves more than a quarter million children as anything less than devastating would be selling the fallout short.
After Lurie shut down most of its internet-connected equipment on Jan. 31, the assessment and recovery process from the breach began in earnest. Weeks passed before the hospital was able to restore its phones, email access or electronic health records. Lurie didn’t begin reactivating its Epic MyChart patient portal until early mid-March, and the restoration of patient data is still ongoing.
The consequences of cyberattacks on hospitals can be dire. When networks are shut down, physicians and support staff are cut off from critical tools and patients are at risk of suffering severe complications, and even death. Healthcare organizations are often targeted by ransomware attacks explicitly because of the sensitivity and importance of the data they handle. Bad actors know these organizations will typically pay a ransom in order to keep networks online and protect their data, and their efforts are only likely to gain momentum, and cause more loss and lethality, over time. What recourse do healthcare providers have?
A healthy approach to data and systems protection
Consider what we know about the optimization of the human body and the importance of routine health maintenance and daily care in keeping those biological systems online and operating at full capacity. You know the drill: brush three times a day, pop a multivitamin, cut back on red meat, take a walk around the block at lunch, get your rest. No one knows this stuff as well as physicians. So hospitals and other healthcare providers would do well to take a page from their own playbooks when approaching data and information systems protection.
That begins with cyber hygiene. Healthcare organizations should establish a daily (and, in some cases, more frequent) cyber routine to keep their systems and data “healthy.” Just as you and I are advised to get our exercise, eat more vegetables and generally adopt strong wellness habits, every organization that handles sensitive information should take appropriate steps to protect the integrity of their systems and security of their data.
In that same vein, healthcare organizations must make a priority of preventative care. You don’t need to be a physician or a heart patient to understand that hopping on the treadmill a few times a week is far easier before undergoing a triple bypass than it is starting an exercise regimen afterwards. The earlier that cybersecurity issues are addressed, the better off a hospital or care network will be. Being proactive – conducting checkups, training staff and implementing appropriate systems – helps organizations sidestep the damage, cost and reputational consequences risked by settling on a reactive approach. Investing in robust cybersecurity systems and adopting methods such as encryption-in-use enable organizations to “shift left,” or otherwise address potential cybersecurity issues in the pipeline before they grow into a problem that can bring an entire operation to a standstill.
The true cost of a failed cybersecurity plan
Every organization that relies on the internet to conduct operations and that collects or stores data should consider itself a potential target for a cybersecurity attack. But it is those organizations that neglect to plan for the threat of a breach and to protect against bad actors that are, by far, the most vulnerable among them.
Which makes the commitment to cybersecurity of healthcare organizations, specifically, exponentially consequential. Given the stakes, ownership and responsibility of healthcare cybersecurity should be considered just as important as healthcare itself. In the event of a healthcare data breach, the potential butterfly effect can be dramatic. Machines may no longer function, charts become unavailable, networks go dark. Patients may needlessly experience pain, suffer exacerbated long-term health complications and even face death. Poor cybersecurity can severely compromise a hospital’s day-to-day operations, backing up schedules, bottlenecking other local care systems, imperiling the public trust and possibly even leading to litigation.
But too many organizations seem to view cybersecurity as something of an afterthought, or a line item that can be squeezed as a cost-cutting measure. For-profit healthcare facilities are run by executives and board members who prioritize revenue. But in some ways, nonprofit hospitals – which outnumber profit-driven facilities by at least twofold – are in a tighter bind. For organizations bound to strict (and often modest) budgets, justifying up-front cybersecurity costs to protect against a breach that arguably may never come can be a difficult sell.
But as the case of Lurie Children’s Hospital demonstrates, all it takes is one breach – a crack in the foundation or a fissure in the damn of an organization’s cybersecurity – to cost it millions in data. And this doesn’t begin to account for the human toll, or an organization’s related financial and existential losses.
Because the source of a data breach is usually tied not to systemic failure but spending prioritization, the cybersecurity conversation must be transformed. Rather than settling on a reactive, “What now?” model, organizations must not only be encouraged to embrace a proactive approach to data protection – but also be presented with clear evidence of why it’s a more prudent and ultimately more cost-effective choice.
Keeping our bodies and our organizations healthy is a lifelong and tireless commitment. And anecdotal comparisons or the crunching of numbers on a balance sheet won’t necessarily clarify the risk-reward equation. Some people smoke and eat cheeseburgers, going on to live a long life. Similarly, not every healthcare organization with lagging cybersecurity support will be brought to its knees by hackers. But as data breaches continue to increase and cyberattacking groups grow more sophisticated, the risk and cost – not just ransoms, but the long-term effects on patients and hospital operations – come into sharper focus.
In the end, willful negligence in the name of lower up-front costs is a monumental gamble. Building a proactive cybersecurity infrastructure on a foundation of constant monitoring and maintenance, on the other hand, gives every organization its best chance to avoid potentially ruinous consequences. In cybersecurity as in healthcare, prevention is always a preferred strategy over after care.
About the author: Dan Draper is founder and CEO of CipherStash, a data security company that utilizes groundbreaking searchable encryption technology.