Why hackers attacked a health system on Thanksgiving

Giles Bruce by Becker’s Hospital Review

It likely wasn’t by happenstance that cybercriminals attacked a major U.S. health system the week of Thanksgiving, IT security chiefs told Becker’s.

Ardent Health Services, a 30-hospital system based in Nashville, Tenn., took its IT systems offline Nov. 23, the morning of Thanksgiving, after discovering what it later found to be a ransomware attack. Ambulances were still being diverted to other emergency rooms and surgeries were being delayed a week later. Hospitals were disrupted across Idaho, Kansas, Oklahoma, New Jersey, New Mexico and Texas.

“Cybercriminals have been striking for years during the holidays, so this certainly wasn’t a coincidence,” Jeffrey Vinson, senior vice president and chief cyber and information security officer of Bellaire, Texas-based Harris Health System, told Becker’s. “Nation-state bad actors and cybercriminals understand when organizations are most vulnerable and when they are less likely to be paying attention to their monitoring and detection system — and the holidays would be when they reduce their cybersecurity and IT staff.”

Healthcare is a “24/7/365 industry” — and so is cybercrime, Mr. Vinson said. “You cannot drop your guard at any time,” he said.

Asked to comment for this story, Ardent referred Becker’s to its Nov. 27 statement.

The U.S. Cybersecurity and Infrastructure Security Agency reportedly contacted Ardent on Nov. 22, the day before Thanksgiving, to alert the health system of malicious cyber activity on its network, according to CNN. An Ardent spokesperson told the news outlet the health system had found an “anomaly” on Nov. 20 and “engaged additional external cybersecurity resources to investigate,” discovering the ransomware on Thanksgiving.

“Cybersecurity does not sleep, and it does not take a holiday,” said Esmond Kane, chief information security officer of Dallas-based Steward Healthcare. “Bad people will not respect your change freeze, your budget constraints or your family time. Expect attacks always, but especially when your team is sparse or attention elsewhere.”

“We always owe a debt of gratitude to our first responders,” he added. “Increasingly, we must also be thankful for our security operations teams working to keep critical IT systems from harm.”

The timing of cyberattacks to coincide with holidays is a “new norm,” said Jack Kufahl, chief information security officer of Ann Arbor-based Michigan Medicine.

“Factoring in notable events at our targeted companies, as well as likely threat actors’ countries of origin, are useful context for threat intelligence activities,” he said. “Dates alone will not tell you when or if an attack will occur, but it should enrich all the other cofactors one uses in predicting likelihood.”

He recommended health systems incorporate “inconvenient timing” into their cybersecurity tabletop exercises to increase awareness at the organizations and make sure they’re ready for a surprise holiday attack.

Share Article: