Kettering Health is grappling with the aftermath of a ransomware attack that caused a system-wide technology outage, prompting the cancellation of elective procedures and disrupting normal operations across its 14 medical centers.
On Tuesday morning, the Ohio-based health network confirmed it was experiencing a cybersecurity incident resulting from unauthorized access to its network. The attack, which deployed ransomware, has disabled parts of Kettering’s IT infrastructure and affected patient services, including its call center.
The outage has led to the cancellation of all elective inpatient and outpatient procedures for Tuesday, May 20, with rescheduling underway. “Elective inpatient and outpatient procedures at Kettering Health facilities have been canceled for today, Tuesday, May 20. These procedures will be rescheduled for a later date and more information will be provided on this as updates are available,” the organization said.
According to a ransom note viewed by CNN, the attackers claim to have locked the network and stolen sensitive files, threatening to leak the data unless negotiations begin. The note directs Kettering to an extortion portal linked to the ransomware gang Interlock, which has been associated with attacks on the tech, manufacturing, and government sectors.
The health system emphasized that emergency rooms and clinics remain open: “At this time, only elective procedures are being rescheduled. Our emergency rooms and clinics are open and continuing to see patients.”
Kettering Health stated it has “procedures and plans in place for these types of situations” to continue delivering care. “We will continue to provide safe, high-quality care for patients currently in our facilities.”
It also confirmed its teams are actively working to recover affected systems. “Teams across Kettering Health are working diligently around the clock to restore our systems in the aftermath of unauthorized access that caused a system-wide technology outage.
Safety is the Top Priority
It said patient safety remains the top priority, and procedures are being evaluated on a case-by-case basis based upon collaborative decision-making between care teams, with safety as our highest priority. “While we recognize this process has not been seamless, we ask for everyone’s patience while we continue to work through this issue.”
In terms of patient safety, Kettering said: “We understand our patients’ concerns for their privacy and information security. We have no evidence that personal cell phone apps, like MyChart, or the information in them have been compromised.”
Throughout the response, Kettering praised its frontline personnel and community allies, saying it is grateful to the “remarkable” providers and staff who are continuing their work despite these challenges and to its community partners helping make meaningful progress during the current situation.
Kettering Health has not disclosed the extent of the data potentially accessed.
The incident is part of a broader wave of ransomware attacks targeting the U.S. healthcare sector, which reported over 440 ransomware incidents and data breaches to the FBI last year, more than any other critical infrastructure sector.
No Honor Among Thieves
Trey Ford, Chief Information Security Officer at Bugcrowd, says: “There used to be honor among thieves, and I’m heartbroken to see attackers continue to target healthcare. I don’t know when the attack started, but want to encourage Kettering to maintain what appears to be direct and responsive updates on their website. They’re answering what the public needs to know right now, and doing it quickly.”
Ford says cancelling outpatient and elective procedures to prioritize acute care and protecting life-support missions is absolutely the right move – and sadly healthcare has had to build these procedures. “I trust case studies will come out of this work, I hope they share openly their lessons learned on the other side of this event.”
He adds that the fact that miscreants captured targets for fraudulent outbound collections calls raises questions about dwell time. “Sadly, we live in an age where receiving a call requesting payment for healthcare service is a norm, and there is no solid way to authenticate those callers. I worry for the vulnerable populations being targeted in these parasitic campaigns, this is a strong and worrying variation of double-extortion ransomware attacks.”
The public needs to feel empowered to receive a call, acknowledge a request – and then call institutions back based on publicly available information they look up, Ford adds. “We don’t live in an age where anything we hear on the phone, receive in email or snail mail can be explicitly trusted. DO NOT make payments or give up sensitive information on inbound calls, unless you personally know the person you’re talking to.”
The Worst Consequences
Patrick Tiquet, Vice President, Security & Architecture at Keeper Security, says healthcare providers also stand to experience some of the worst consequences of cyber-attacks and breaches. “Not only do they manage immense amounts of sensitive personal and health information about staff, members and patients, but when systems are compromised, patient care can be directly impacted.”
Tiquet says to bolster cyber defenses, healthcare institutions should adopt a multi-layered security approach. “Implementing Privileged Access Management (PAM) can help restrict access to critical systems, while a zero-trust security model ensures that every user and device is verified before gaining access to sensitive assets and data. Proactive endpoint security, continuous staff training on phishing and social engineering threats, as well as robust data encryption and backup strategies are also essential to mitigating ransomware risks. Beyond hospitals, organizations like blood donation centers and medical labs must implement and enforce strict access controls and encryption policies to protect sensitive health data, particularly as they often rely on external partners for data processing.”
Although the investigation is still ongoing, Tiquet says Kettering patients should not wait to take proactive measures like implementing cybersecurity best practices and checking for exposed credentials on the dark web. “A dark web scanning tool such as BreachWatch can alert victims in real time that their information has been compromised, so they can take action before a cybercriminal leverages their information for attacks. Enabling MFA is another critical measure that will protect accounts, even if the credentials are leaked. These actions can help individuals stay ahead of potential misuse of their data, offering critical protection during the time it takes to resolve these larger investigations.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.