INDIANAPOLIS — Johnson Memorial Health in Franklin announced that its computer system has been disabled by a cyberattack.
The health care system of Johnson County maintains that it can continue to meet patient needs without access to computer records, most services are unaffected and anyone with a scheduled appointment should arrive a few minutes early to compensate for the impact of the breach.
JMH staff and its security contractors have spent the weekend trying to determine the extent of the intrusion and how to bring the system back up.
“It’s part of a trend we’ve seen building over the last couple years even before the pandemic,” said Scott Shackelford, Chairman of the IU Cybersecurity Risk Management Program. “Unfortunately health care providers are very much in the crosshairs because the word has gotten out that not only do they often have insurance and deep pockets but because they are in such a vulnerable position their patients need access to this information their doctors do in order to perform the procedures, to be able to provide the services that are required so they are more likely to pay up.”
Eskenazi Health announced late Friday afternoon that while it did not pay a ransom related to a breach of its data system in May that was not revealed until early August, virtually all the personal information of some patients and employees was posted on the dark web, including names, photos, medical records and credit card numbers.
“If you look at the surveys that have been done, about one-in-three health providers have been hit by ransomware attacks just since 2020 and there’s been a 45% uptick in that rate since last December,” said Shackelford. “If you’re a defender, if you’re a hospital security professional, you have to defend all of the different vulnerabilities, all of the endpoints, all of the different devices, all the different ways your system gets access. If you’re the attacker, you only need to find that one way in.
“When its hospitals being targeted, that’s one thing, they do have some resources to deal with this, but small doctors offices across the state and across the nation are in an even tougher position.”
Shackelford said that while typical phishing inquiries requiring a user to inadvertently open a tainted file are on the decline, other more insidious attacks are underway from exploiting backdoors into systems to so-called Zero Click malware that can infect a system simply by receiving a text or email.
Experts recommend consumers protect themselves by utilizing multi-factor identification to verify identity, toggling the settings on mobile apps to make sure they don’t share your information with other apps, freezing your credit when you’re not accessing it and filing complaints if you feel confidential data provided to your health care provider has been released.