WASHINGTON (NEWSnet/AP) — Cybersecurity experts are warning that hospitals in the U.S. are at risk for attacks, and the government is doing little prevent such breaches.

Hospitals in recent years have shifted use of online technology to support  telehealth, medical devices and patient records. They are a common target for internet thieves who hold systems' data and networks hostage for ransom, said John Riggi, American Hospital Association’s cybersecurity adviser.

“Unfortunately, the unintended consequence of the use of all this network and internet connected technology is it expanded our digital attack surface,” Riggi said. “So, many more opportunities for bad guys to penetrate our networks.”

Assailants often operate from U.S. adversaries such as Russia, North Korea and Iran, where they enjoy major payout from victims and face little chance of punishment.

In November, a ransomware attack on a health care chain that operates 30 hospitals and 200 health facilities forced doctors to divert patients from emergency rooms and postpone elective surgery.

An Illinois hospital closed in 2023 because it couldn’t recover financially from a cyberattack.

One of the top children's hospitals in the country, Ann & Robert H. Lurie Children’s Hospital of Chicago, has been forced to put its phone, email and medical record systems offline as it battles a cyberattack. FBI is investigating.

Brett Callow, an analyst for the cybersecurity firm Emsisoft, counted 46 cyberattacks on hospitals in 2023, compared with 25 in 2022.

Profit for criminals has grown, too, with the average payout jumping from $5,000 in 2018 to $1.5 million last year.

“Unless governments do something more meaningful, more significant than they have done to date, it’s inevitable that it’ll get worse,” Callow said.

Callow believes the government should ban cyberattack victims such as hospitals, local governments and schools from paying ransoms.

“There’s so much money being paid into the ransomware system now there’s no way the problem is going to simply go away on itself,” he said.

The dramatic increase in online raids has prompted Department of Health and Human Services to revise rules for Health Insurance Portability and Accountability Act, known as HIPAA. It requires insurers and health systems to protect patient information, but later in 2024 will include provisions that address cybersecurity.

The department also is considering additional cybersecurity requirements attached to Medicaid and Medicare funding.

“The more prepared we are, the better,” said Deputy Secretary Andrea Palm.

Follow NEWSnet on Facebook and X platform to get our headlines in your social feeds.

Copyright 2024 NEWSnet and The Associated Press. All rights reserved.