TAMPA, Fla. (WFLA) — The American Hospital Association maintains that cybersecurity risks are a major problem for health care organizations, mainly due to just how much information they have on file, a lot of which is “of high monetary and intelligence value” to cyber thieves and “nation-state actors.”

On Thursday night, Tallahassee Memorial Hospital’s online systems were put under siege and targeted for what appeared to be a ransomware attack, bringing the risks of hacked hospitals closer to home for Floridians.

While the hospital’s IT security team shut down its network to quarantine the attack, and by doing so turned off all non-emergency procedures, it took three days for the hospital, and its larger system, to resume normal operations.

Tallahassee Memorial is part of a larger network, Tallahassee Memorial HealthCare. The not-for-profit system has been in operation since 1948 and now serves 66 locations in North Florida, South Alabama, and South Georgia, across 21 counties.

The Feb. 3 IT security issue, as TMH is describing it, impacted IT systems, leading to the system diverting emergency services and canceling outpatient and non-surgical procedures until Monday. At the time, TMH still accepted Level 1 trauma patients. The company also got in contact with law enforcement in order to work on investigating the attempted intrusion.

Still, TMH said operations remained impacted even as resumed operations expanded.

According to a Feb. 6 publication, surgical procedures are still limited and offices are using paper documentation for registration, admission, and filling prescriptions, advising patients to expect some delays. Some emergency services patients are still being diverted.

Part of the issue with the IT security attack is how much of a hospital’s system is connected to the internet, in what’s known as the Internet of Medical Things, or IoMT.

For some systems, if a hacker can get into a computer, they can get into everything, from patient records to billing information, to even controlling some medical equipment used for critical health services.

The National Institute of Health said remote patient monitoring, screening, and telehealth treatments have helped change the healthcare system to focus on “early diagnosis, prevention of spread, education and treatment and facilitate living in the new normal.” However, the integration creates its own challenges.

“Mass adoption seems challenging due to factors like privacy and security of data, management of large amount of data, scalability and upgradation etc.,” NIH reported, adding later in the study that “several challenges and implications exist today that need to be addressed before mass adoption of IOMT for instance privacy and security of data, data management, scalability and upgradation, regulations, interoperability and cost efficacy.”

Data privacy and security remains a challenge due to the “huge volume of sensitive health data” for patients, as well as its integration in patient monitoring and system management, according to the NIH.

Wipro, a technology service and consulting company said that IoMT devices can range anywhere from defribrillators to patient monitors to even oxygen pumps and nebulizers. They said “implementing apt security measures is crucial” to ensure patient data safety.

However, researchers say security breaches can also lead to loss of life in the healthcare sector.

“As most IoT devices weren’t developed with security in mind, they are very vulnerable to security breaches. And you can imagine that such compromised security could lead to untold chaos and loss of lives, particularly in the healthcare sector,” according to Richard van Hooijdonk, a self-described futurist and technological implant proponent. “The proliferation of IoMT devices and their lack of security, combined with ubiquitous internet connectivity significantly expands the scope for attacks, making healthcare one of the most ‘popular’ targets for cybercriminals.”

Bringing us back to Tallahassee, a TMH spokeswoman said in part on Tuesday that their staff were working with “outside experts and state and federal agencies to investigate the cause of the event and safely restore all computer systems as quickly as possible.”

More broadly focused on Florida and the rest of the country, Jotform did an analysis of the United states, focused on ranking them by healthcare records hacks.

According to the analysis, made by compiling information from the U.S. Department of Health and Human Services, the U.S. Census Bureau, and a report on data security by IBM, Florida is among the 10 states most at risk for health information breaches.

Jotform reported that while record breaches are at times due to mismanagement by healthcare providers, the majority were “overwhelmingly” breaches from hacking incidents. 80% of record breaches in 2022 were from hacks.

Florida had the seventh highest amount of reported records affected, and highest estimated costs, of all 50 states due to hacking of medical and health records, according to the Jotform ranking.

RankStateIndividual Records AffectedEstimated Costs
1Texas4,957,050$738.6 million
2Wisconsin4,498,306$670.25 million
3Pennsylvania3,063,706$456.49 million
4Massachusetts2,458,139$366.26 million
5Colorado2,435,269$362.86 million
6New York2,374,743$353.84 million
7Florida2,254,815$335.97 million
8California2,002,177$298.32 million
9Michigan1,925,438$286.89 million
10Illinois1,833,579$273.2 million
(Source: Jotform)

According to federal records, 1.8 million Floridians were impacted in 2022, including in parts of Tampa Bay.

Covered EntityStateEntity TypeIndividuals AffectedBreach DateBreach Type
RavkooFLHealthcare Provider105,00001/03/2022Hacking/IT Incident
South Walton Fire DistrictFLHealthcare Provider25,33111/15/2022Hacking/IT Incident
OCEANVIEWS OPTICAL INCFLHealthcare Provider2,00011/03/2022Hacking/IT Incident
Seredor Centers, Inc.FLHealthcare Provider2,50010/08/2022Hacking/IT Incident
Landmark Management ServicesFLHealthcare Provider50109/15/2022Hacking/IT Incident
Synergic Healthcare Solutions, LLC d/b/a Fast Track Urgent Care CenterFLHealthcare Provider258,41107/12/2022Hacking/IT Incident
First Step of Sarasota, Inc.FLHealthcare Provider1,85802/25/2022Hacking/IT Incident
Jacksonville Spine Center, P.A.FLHealthcare Provider38,00002/10/2022Hacking/IT Incident
North Broward Hospital District d/b/a Broward Health (“Broward Health”)FLHealthcare Provider1,351,43101/02/2022Hacking/IT Incident
Foundcare, Inc.FLHealthcare Provider14,19412/16/2022Hacking/IT Incident
Orlando HealthFLHealthcare Provider3,66211/18/2022Hacking/IT Incident
Phoenix Programs of Florida, Inc.FLHealthcare Provider6,59410/21/2022Hacking/IT Incident
Bonita Springs Retirement Village, Inc.FLHealthcare Provider55409/19/2022Hacking/IT Incident
Florida Springs Surgery CenterFLHealthcare Provider2,20308/01/2022Hacking/IT Incident
(Source: U.S. Dept. of Health and Human Services)