Systems, Phones Still Offline at Chicago Children’s Hospital

Network systems – including phones, email, electronic health records and the patient portal – remain offline at a prominent Chicago children’s hospital and research center nearly a week after the facility was hit with a cyberattack.

See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government

Ann & Robert H. Lurie Children’s Hospital of Chicago said Monday that it is still actively responding to a “cybersecurity matter” and working on the investigation in collaboration with security experts and law enforcement (see: 2 Chicago Hospitals Are Facing Cyberattack Woes).

The 312-bed hospital, which cares for more than 220,000 patients a year, said it is continuing to offer healthcare services “with as few disruptions as possible” as the facility responds to the cyber incident.

“We are prepared with contingency plans to continue providing safe, reliable care to our patients during system outages and have been operating in downtime procedures,” the hospital said.

Care providers will directly contact families and patients whose on-site appointments and surgeries need to be rescheduled, the hospital said.

“Lurie Children’s phone, email and electronic systems are currently offline. As part of our standard incident response procedures, we have intentionally limited our email system, so it is unable to send to or receive emails from non-Lurie Children’s email addresses,” it said.

“We’ve also prevented outbound internet traffic and took our electronic health record offline. We are unable to receive external phone calls, except for calls to our call center.”

Aside from the general call center that has been set up to handle inquires during the outage, patients and their families still cannot directly contact specific care providers or hospital departments when they have urgent questions or to proactively confirm appointments, which is fueling frustration for some.

“We called the line this morning and all they did was take a message. We aren’t coming in for the sniffles – my daughter needs heart surgery. The lack of transparency in this matter is very disconcerting,” one parent wrote on the hospital’s Facebook page Monday.

“We recognize the concern and inconvenience the systems outage may cause our patient-families and community providers and are working diligently to resolve this matter as quickly and effectively as possible,” the hospital said on its website Monday.

The hospital is continuing to accept and treat patients – including emergency care, inpatient care, surgical procedures and ambulatory visits – the statement said.

Rare But Nasty Assaults

Cyberattacks on children’s hospitals are not as common as assaults on other types of hospitals over the last few years. But as the incident involving Lurie Children’s shows, they do indeed happen, some experts said.

In some rare cases, cybercriminals have backtracked on their attacks involving children’s hospitals. In December 2022, LockBit 3.0 appeared to change course in a ransomware attack on a Toronto children’s hospital, SickKids, by offering a free decryptor and an apology on its dark web site about the incident (see: Toronto Hospital Gauges Whether to Use LockBit Decryptor).

“Let’s be clear: Cyberattacks against children’s hospitals are attacks against children – ill children,” said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.

“Could there be any other more heinous cybercrime these cyber predators could commit? This is truly a boundary that even some ‘professional’ ransomware groups refuse to cross,” he told Information Security Media Group.

“These crimes are particularly despicable as they attack our most vulnerable population. The risk of patient harm to the children may increase as well, if there are not suitable nearby hospitals that are equipped or certified to handle critical pediatric patients,” Riggi said.

“Since the risk of harm may be higher when attacking a children’s hospital, these gangs should consider how those attacks will also raise them higher on the government’s target list,” he said. “That is something they would want to avoid.”

Ransomware attacks are happening at all different kinds of organizations across every critical infrastructure sector, said Errol Weiss, chief security officer at the Health Information Sharing and Analysis Center.

Last year, Health-ISAC tracked over 5,000 ransomware events that affected organizations across the globe. Of those, it counted 459 ransomware incidents in healthcare globally during 2023.

“No one is safe from these cyberattacks,” Weiss said. “Despite claims that cybercriminals won’t target hospitals, we found that about 8% of the victim organizations were in the healthcare sector. When cybercriminals victimize hospitals and impact patient care to extort money from them, it also becomes a threat-to-life crime.”

The Department of Health and Human Service’s HIPAA Breach Reporting Tool website as of Monday showed about a dozen hacking incidents reported in 2023 by children’s hospitals or pediatric practices that affected the protected health information of nearly 200,000 individuals.

“Personally identifiable and personal health records for a child are more monetizable than those for adults, as their credit histories are pristine; victims may not find out for years that their records have been used for financial fraud, and restoration of credit may take even more years,” said Mike Hamilton, co-founder and CISO of security firm Critical Insight.

Because of the value of the patients’ records and the critical work children’s hospitals do, their leaders should consider their organizations to be at elevated risk, he said. They must ensure that appropriate investments are being made in preventing cyber incidents as well as in managing the impact of a cyberattack and minimizing downtime.

“Children’s hospitals are generally for very sick kids whose families are not able to fully fund treatment,” Hamilton said. “The last thing these families need is the added stress of the new uncertainty of their child’s future.”

While ransomware and data exfiltration attacks are on the rise in the healthcare sector, some pediatric care providers also have found themselves in the crosshairs of other hacks.

In 2014, a hacktivist launched a massive distributed denial-of-service attack against Boston Children’s Hospital and a nearby youth and family support organization in protest of a controversial child custody case.

That DDoS attack not only disrupted the hospital’s network for at least two weeks, it also hampered internet connectivity of other Boston-area hospitals (see: Boston Children’s Hospital Hacker Gets Long Prison Sentence).

Attack Averted

In 2021, Boston Children’s Hospital was luckier and averted a cyberattack – this time by government-backed Iranian hackers – after U.S. authorities had received intelligence about the pending assault and alerted the hospital, according to the FBI (see: FBI: Hospital Averted ‘Despicable’ Iranian Cyberattack).

“The FBI was able to thwart the attack against Boston Children’s, and this suggests that there is focused intelligence gathering specifically regarding these organizations,” Hamilton said.

But overall, healthcare organizations lack the resources to defend against such attacks, said H-ISAC’s Weiss.

“I would urge organizations to review and implement the voluntary Cybersecurity Performance Goals released by HHS,” he said referring to new guidance from the Biden administration released as part of a strategy to improve cybersecurity in the healthcare sector (see: HHS Details New Cyber Performance Goals for Health Sector).

“The CPGs link closely to industry cybersecurity frameworks and best practices from the Healthcare Industry Cybersecurity Practices developed as part of a public/private partnership. Implementing the CPGs would help greatly improve the security posture of an organization,” Weiss said.

Lurie Children’s Hospital did not immediately respond to ISMG’s request for additional details about its cyberattack and response efforts.