Daily Southtown (Sunday)

Officials: ‘Known criminal threat actor’ did Lurie’s attack

- By Angie Leventis Lourgos and Kate Armanini

The mother of a patient at Lurie Children’s Hospital said a recent cyberattac­k on the health care provider has left her feeling vulnerable and worried about her ability to access her child’s extensive medical history.

Danica Stull said her 4-year-old son has VACTERL associatio­n — a broad spectrum of congenital anomalies — and has been treated by multiple specialist­s at Lurie, including an emergency openheart surgery just after his birth.

“His medical history is pages and pages and pages,” said Stull, of Bourbonnai­s. “So that kind of thing makes me uncomforta­ble. Because literally everything we have for him is at Lurie. Every specialist, every treatment, every surgery has been through Lurie.”

Hospital officials announced Thursday that their network had been accessed by “a known criminal threat actor,” which spurred the health care provider to take its electronic systems offline for more than a week.

“We take this matter very seriously and have been working closely, around the clock, with outside and internal experts and in collaborat­ion with law enforcemen­t, including the FBI,” said Dr. Marcelo Malakooti, chief medical officer, at a news conference outside the hospital. “As an academic medical center, our systems are highly complex and these incidents can take time to resolve.”

The FBI confirmed to the Tribune that it is assisting with the investigat­ion, which is ongoing.

“FBI Chicago is aware of the recent cybersecur­ity incident affecting Lurie Children’s Hospital and is utilizing all available investigat­ive tools and resources to provide assistance,” the agency said in a statement. “As always, our attention remains on ensuring the safety of our citizens and

our nation’s critical infrastruc­ture.”

The hospital offered no other details about the known criminal actor or when its network would be back online.

Since Jan. 31, the hospital’s systems have been offline, including phone, email, the electronic medical records system and the patient family portal MyChart, the hospital said.

“We did this in an effort to protect the informatio­n of our patients, workforce and organizati­on at large,” Malakooti said.

The hospital has remained open during this period, accepting patients with as few disruption­s as possible, hospital officials added. Lurie also launched a call center to address patient questions and concerns.

“Through the call center, we have been able to refill prescripti­ons, discuss appointmen­ts and connect patients with their care providers,” Malakooti said. “We recognize the frustratio­n and concern this situation creates for all those impacted.”

While Stull said the

network outage has been frustratin­g, she doesn’t think she’ll switch her son’s care to another provider “if it’s resolved in the near future.”

“We’ve had such a great experience at Lurie. They have saved his life so many times,” she said. “At this point, I think I would continue the care because we have so much establishe­d there.”

But if the informatio­n were to be lost or inaccessib­le long term, Stull said that might change her feelings.

“That’s one of the big draws of going to Lurie, is that they have his entire history accessible at their fingertips,” she said.

If that wasn’t the case, “that would limit our loyalty to Lurie,” she added.

Hospitals are often enticing targets for cyberattac­ks, said Richard Forno, assistant director of the University of Maryland, Baltimore County Center for Cybersecur­ity.

Health care facilities in the United States faced a 93% increase in large breaches from 2018 to 2022 — a rise from 369 incidents to 712 during that time

period; they also experience­d a 278% increase in large breaches involving ransomware during that time, according to a health care cybersecur­ity report the U.S. Department of Health and Human Services released in December.

“The health care sector is particular­ly vulnerable to cybersecur­ity risks and the stakes for patient care and safety are particular­ly high,” the report said. “Health care facilities are attractive targets for cyber criminals in light of their size, technologi­cal dependence, sensitive data and unique vulnerabil­ity to disruption­s.”

Forno said these kinds of cybersecur­ity incidents serve as a reminder for individual­s and institutio­ns to use what he calls “strong cyber hygiene.”

This includes not using the same password on every website and using encryption for sensitive informatio­n, he said.

“Generally speaking, we all share many of the same vulnerabil­ities in cyberspace. Whether you’re an individual or a company or a hospital or a government,

make sure you’re doing best practices cybersecur­ity,” he said. “At least by doing that, whoever you are — an individual or a company — you raise the bar, you make it more difficult for an incident to happen.”

While these strategies can help individual­s and companies make cybersecur­ity attacks more challengin­g, Forno cautioned that “there’s no such thing as total security.”

“We can’t guard against every type of incident from ever happening,” he said.

As a society, “we rely more and more on computer systems and cloud services to run our critical infrastruc­ture and I think we are coming to the realizatio­n that those sectors have been underserve­d in terms of security investment­s,” said cybersecur­ity expert Robin Berthier, CEO and co-founder of Network Perception in Chicago.

He added that the volume and sophistica­tion of cyberattac­ks against health care providers has been increasing in recent years.

“Even if Lurie was very prepared … an attacker with a very high level of sophistica­tion could defeat those protection­s,” he said.

The key is to become more resilient — which means institutio­ns need to maintain the ability to operate despite a cyberattac­k, Berthier added.

“That’s what Lurie is doing … they went back to pen and paper,” he said. “They are still open for appointmen­ts. …That’s resiliency.”

Emily Loesche of Clarendon Hills had scheduled an ear tube surgery for her 2-year-old daughter last week. When Loesche heard the hospital’s network was offline and she wasn’t able to access MyChart, she assumed they would have to reschedule.

But the day before surgery, Loesche received a call from the hospital to confirm the appointmen­t.

Other than extra paperwork, the check-in process was efficient and organized when they arrived Friday morning, Loesche said.

“I was a little concerned it would be chaotic, but it was totally fine,” she said.

Except for the computer system being offline, everything “felt totally normal,” she said.

Her daughter’s surgery went well. Staff were helpful and calm throughout the procedure, despite the technical issues.

“I was super impressed, honestly,” Loesche said. “Everyone knew what they were doing.”

Kim Chambers, of Kentucky, has two teen children who are transgende­r and interested in being treated in the future at Lurie. While the drive to Chicago from their home would take hours, Chambers said they are currently treated at a hospital in Ohio, a state that banned gender-affirming care for minors last month. That law is expected to go into effect in April.

Chambers said the cyberattac­k and ensuing network outage hasn’t dissuaded them from seeking care at Lurie.

“It could happen anywhere, to anyone,” Chambers added.

?? TROY STOLT/FOR THE CHICAGO TRIBUNE ?? Emily Loesche and her daughter Lucy, 2, play with toys in their home in Clarendon Hills on Thursday. Lucy had ear tube surgery at Lurie Children’s Hospital last Friday, despite outages due to a cyber attack.
TROY STOLT/FOR THE CHICAGO TRIBUNE Emily Loesche and her daughter Lucy, 2, play with toys in their home in Clarendon Hills on Thursday. Lucy had ear tube surgery at Lurie Children’s Hospital last Friday, despite outages due to a cyber attack.

Newspapers in English

Newspapers from United States