Copyright © 2024 CNA Corporation 3003 Washington Boulevard, Arlington, VA 22201 | 703-824-2000 | www.cna.org
Helping Hospitals Improve Resilience to Ransomware
Jamie Biglow and Dawn Thomas
On January 31, 2024, Lurie Children’s Hospital in Chicago was the victim of a ransomware attack by the
ransomware-as-a-service
group Rhysida. Lurie is a pediatric acute care hospital with 360 beds, 1,665
physicians covering 70 sub-specialties, and 4,000 medical staff and employees. It is one of the most
important pediatric hospitals in the country, providing care for more than 200,000 children annually.
Lurie detected the attack and preemptively shut down its phones, email service, electronic health record
(EHR) system, and MyChart patient portal to protect its data. The hospital reverted to a first-come, first-
served approach, prioritizing emergency situations. Scheduled procedures were delayed, ultrasound and
CT scan results were unavailable, and prescriptions were given in paper form. Parents expressed frustration
with the inability to communicate with their children’s doctors or access the patient portal. In a few cases,
surgeons operated on pediatric patients without some of the high-tech assistive devices they would usually
use.
Despite these challenges, the effects of the Lurie cyberattack could have been worse; the hospital could have
been forced to shut its doors. The speed with which hospital staff were able to make decisions and take
steps to keep their doors open, including setting up a call center and switching to manual processes,
suggests that Lurie had planned for a potential cyber incident and taken steps to prepare for it. Other
notable cyberattacks on hospitals in recent months have been more destructive, including the November
2023 cyberattack on Ardent Health Services
, a 30-hospital health system, which resulted in hospitals in
three states having to reroute ambulances to hospitals that could accommodate patients.
Targeting the Healthcare Sector
Hackers are targeting the healthcare sector with increasing frequency. According to the US Department of
Health and Human Services
(HHS), from 2018 to 2022, there was a 93 percent increase in large breaches
reported (369 to 712), with a 278 percent increase in such breaches involving ransomware. The Federal
Bureau of Investigation received more reports of ransomware attacks on organizations in the healthcare
and public health sector in 2022 (the most recent year available) than for any other critical infrastructure
sector, with the number of attacks rising in the two years since then. In their recent report, The State of
Ransomware in the U.S., Emsisoft Malware Lab reported that in 2023, 46 hospital systems with a total of 141
hospitals were affected by ransomware attacks. Finally, in a survey conducted by the Ponemon Institute in
2023, 88 percent of surveyed healthcare organizations reported having experienced at least one
cyberattack in the past year.
Unfortunately, many hospitals are vulnerable to these increasingly persistent threats. Hospital cyber
capacity and capabilities vary widely, which complicates the development and implementation of cyber
standards. In addition, hospitals have a large attack surface, made up of a series of interconnected systems
(including EHR, remote patient monitoring technology, imaging equipment, and telemedicine platforms),
that increases their vulnerability to cyberattack. Partner organizations can also be a source of cyber
disruption. For example, Change Healthcare, the insurance claims processing system that processes
50
percent of all medical claims in the US, was hit by a ransomware attack on February 21, 2024, disrupting
the ability of medical providers across the country, including those of many hospitals, to make insurance
claims and get paid.
