Campbell County Health (CCH) is not commenting on the recent ransomware attack Sept. 20 that shut down computer systems at CCH facilities for several days, crippling key functions and services and forcing the 90-bed facility to transfer patients to surrounding hospitals in Wyoming and South Dakota.
The attack remains under review by the Federal Bureau of Investigation, according to CCH Community Relations Director Karen Clarke, who also said that the hospital will not be granting any additional interviews on the topic.
No patient records or personal information was comprised during the attack, Campbell County Emergency Coordinator David King said, and to his knowledge, the hospital did not pay a ransom to have the records unlocked.
“The hospital said early on that no data left their system,” King said. “By shutting down their computers immediately and completely disconnecting, they were able to limit the damage and exposure.”
Hospital staff and the IT department responded incredibly well, King added, which isn’t always the case. King referenced a ransomware attack around the same time at another Wyoming facility, which he was not at liberty to name, in which their computer systems were entirely decimated by the assault.
“It completely destroyed their system,” he said. “We were much luckier.”
King was not sure what type of software the hospital was using or how the virus was able to infiltrate their system, though statistically speaking, he guesses it was through an employee email.
In general, around 91% of malware and bugs start with an email, according to Laura Baker of the non-profit CyberWyoming, who had no comment on the details in the CCH case. Increasingly, she said, individuals and organizations are at a greater risk for a cyberattack than ever before, with ransomware attacks nearly doubling in 2019.
“You can do absolutely everything right, and they might still be able to come in,” Baker said. “Email is vulnerable because it has to be open, because we need to communicate, and all they need to do is get somebody to click.”
Equally important to protecting against vulnerabilities in the infrastructure, she said, is educating users as a second line of defense. Elderly people, in particular, are at risk for cyber crimes as are extroverts with poor impulsivity control, according to Dr. Erik J. Huffman of SecureSet Cybersecurity Academy in Fort Collins, Colorado. Huffman is one of a small group of scientiests studying the emerging field of cybersecurity.
“We spent years trying to patch the human with technology. It didn’t work,” Huffman stated in a press release announcing his presentation at last month’s Cybersecurity Symposium in Laramie.