Ransomware Attack Key Factor in Decision to Close Rural Illinois Hospital

Posted by Steve Alder

Ransomware attacks can cause healthcare facilities to temporarily close and small healthcare practices have made the decision not to reopen after a ransomware attack, but hospitals and health systems are usually financially resilient enough to remediate the attacks and recover, but not St. Margaret’s Health. Like many rural hospitals and health systems, St. Margaret’s Health has been struggling to maintain operations in the face of increasing financial pressures, then fell victim to a ransomware attack that sent it into a downward financial spiral. The attack, in combination with several other factors, resulted in the decision to permanently close its 44-bed Spring Valley location in Illinois. St Margaret’s Health also operates a 49-bed hospital in Peru, IL, which was under a temporary suspension that was announced in January this year. All operations at the two hospitals will permanently end on Friday, June 16, 2023.

The Sisters of Mary of the Presentation founded St. Margaret’s Health in 1903, and in 2021, St. Margaret’s Hospital – Spring Valley and Illinois Valley Community Hospital (IVCH) in Peru consolidated their operations and formed a regional health network run by the SMP Health ministry, with IVCH changing its name to St. Margaret’s Hospital – Peru. St. Margaret’s Health tried to integrate the new hospital into St. Margaret’s Health so that the two hospitals and their associated clinics could continue to provide catholic healthcare in the Illinois valley, but the challenges proved too great. Like many rural hospitals, St. Margaret’s Health has faced increasing financial pressures in recent years, and the COVID-19 pandemic, continuing staff shortages, and the ransomware attack on St. Margaret’s Hospital – Spring Valley’s computer systems in February 2021 proved too much and made it impossible to sustain its ministry. The ransomware attack itself did not trigger the closure, but it did play a key part in the decision to close. The ransomware attack prevented the hospital from submitting claims to insurers, Medicare, and Medicaid for months, piling even more financial pressure on the already struggling St. Margaret’s Health.

Suzanne Stahl, chair of SMP Health, said St. Margaret’s Health has signed a non-binding letter of intent with OSF Healthcare to acquire the Peru campus and related ambulatory facilities, and the proceeds of the sale will be used to pay off a portion of St. Margaret’s debts and will help to ensure that catholic-based healthcare will continue to be provided in the Illinois valley and the surrounding areas. The transition will take some time, and while OSF Healthcare is working to accomplish the purchase as quickly as possible, it is not able to provide a time frame for when care will resume. “The hospital closure will have a profound impact on the well-being of our community. This will be a challenging transition for many residents who rely on our hospital for quality healthcare,” said Melanie Malooley-Thompson, Mayor of Spring Valley. The closure will mean that patients will be forced to travel much further for emergency room and obstetrics services.

Longstanding pressures on rural hospitals resulted in 136 rural hospital closures between 2010 and 2021, according to a 2022 report from the American Hospital Association, including 19 closures in 2020 alone. Rural hospitals typically have low reimbursement, staff shortages, and low patient volumes, and also had to deal with the COVID-19 pandemic. Cyberattacks are enough to send them over the edge.

Tragically, this is unlikely to be the last ransomware attack that proves too much for a rural hospital. Increasing financial pressure limits the ability of rural hospitals to invest in cybersecurity and they also struggle to attract and retain skilled cybersecurity staff. That makes rural hospitals an easy target for ransomware gangs, which are increasingly targeting these healthcare facilities. Even when rural hospitals are not specifically targeted, they can still fall victim to non-targeted attacks due to the lack of appropriate cybersecurity.

The post Ransomware Attack Key Factor in Decision to Close Rural Illinois Hospital appeared first on HIPAA Journal.

HPH Sector Urged to Make FIN11 Threat Group a Priority for Security Teams

Posted by Steve Alder

The Health Sector Cybersecurity and Coordination Center (HC3) has compiled a profile of the FIN11 threat group (TA505/Lace Tempest/Hive0065) which is known to target organizations in the healthcare and public health (HPH) sector. Historically, FIN11 has conducted phishing campaigns but has now migrated to other attack vectors against companies in North America and Europe. The group is financially motivated and often engages in data theft for extortion, with or without ransomware.

Recent attacks include the exploitation of zero day vulnerabilities in file transfer solutions to gain access to sensitive data, which is stolen and threatened to be released if a ransom is not paid. FIN11 often deploys CLOP ransomware in its attacks, although it is unclear exactly how many CLOP ransomware attacks FIN11 has conducted. The ransom demands in these attacks vary based on the perceived ability of the victim to pay and typically range from a few hundred thousand dollars to $10 million.

FIN11 phishing and spear phishing campaigns have used a combination of malicious attachments and hyperlinks, and fake download pages have been used to trick people into downloading malware. FIN11 is thought to have been involved in the mass exploitation of vulnerabilities in the MOVEit and Accellion FTA file transfer solutions, the PaperCut MF and NG vulnerability in 2023, the Windows ZeroLogon vulnerability in October 2020, and several other vulnerabilities. FIN11 also targeted HPH sector organizations during the COVID-19 pandemic.

FIN11 is known to deploy a range of different malware variants after gaining initial access to networks. In addition to CLOP ransomware, the group has deployed the LEMURLOOT web shell, P2P RAT, FlawedAmmyy and FlawedGrace remote access Trojans, and Cobalt Strike, along with a host of other tools to allow the group to achieve its objectives.

Due to the range of different attack vectors, mitigations are varied and involve strong email security measures, prompt patching of known vulnerabilities, endpoint detection solutions, and active monitoring of security alerts for signs of compromise. HC3 recommends that healthcare organizations consider FIN11 a top priority for their security teams, as the group poses a significant threat to the HPH sector.

The post HPH Sector Urged to Make FIN11 Threat Group a Priority for Security Teams appeared first on HIPAA Journal.