Mississippi Healthcare System Shuts Down Clinics After Ransomware Attack
The University of Mississippi Medical Center last week became the latest healthcare organization targeted by ransomware, forcing one of the state’s largest healthcare providers to shut down operations at its almost three dozen clinics.
According to UMMC officials, the attack occurred on February 19 and compromised the facility’s EPIC electronic health record (EHR) platform, IT network, and phone systems. In response, UMMC shut down all of its systems to determine whether they are safe to use.
LouAnn Woodward, UMMC’s vice chancellor for health affairs and dean of its School of Medicine, reportedly said during a press conference that the ransomware group – which was not named – had contacted school officials, though there was no statement on whether UMMC planned to pay the ransom.
In a statement, Woodward said the university was working with the FBI, CISA, and cybersecurity experts to gauge the extent of the intrusion and determine next steps. It’s unclear when the school’s operations will be up and running.
“To use a medical phrase – we have stopped the bleeding,” she wrote. “And while we know much more now than we did 24 hours ago, the extent and the scope of the intrusion is still not fully understood. … I can’t tell you when – but I can promise as soon as we possibly can – we will be back up and running full steam ahead. The bad guys won’t keep us down.”
Scrambling to Respond
The ransomware attack forced UMMC to turn to using pen and paper for documentation and patient orders and cancel the clinic operations around the state as well as elective procedures. Treatment for hospital patients is continuing and the hospital’s emergency departments are still open and delivering care.
A worry is for patients who are receiving ongoing care, such as chemotherapy, and UMMC is working to schedule appointments for those people, Woodward said.
The incident involving the university health system is a textbook example of a ransomware attack, according to Steven Swift, managing director at cybersecurity firm Suzu Labs.
Big Blast to Get Ransom Paid
“Typically, when a ransomware campaign successfully detonates across a large organization, it takes down a large amount of systems in a coordinated attack,” Swift said. “The aim is for maximum disruption, so that, in this case, UMMC is motivated enough to pay the ransom. The standard response for such an attack is for incident response personnel to implement emergency containment of the network, to stop any further spread and to ensure that any and all remote access that attackers may have gets cut off.”
Early on, from the outside, it’s difficult to tell if systems are down because they were directly compromised by the attack or because of efforts by the victim to contain the damage, he said.
Hobbling the Institution
Damon Small, board member for cybersecurity vendor Xcape, said UMMC’s entire system being shut down “illustrates how a loss of the electronic health record can impede the quality of patient care. By blocking access to the Epic platform, cyber attackers have effectively incapacitated caregivers and forced them to return to manual paper-and-pen methods.”
Small noted the $2.75 million fine levied against UMMC in 2016 by the U.S. Health and Human Services agency following theft of a laptop three years earlier. The device was password-protected, but the sensitive information on it was not encrypted.
“Considering past security failures that led to federal oversight, this incident will undoubtedly intensify scrutiny of UMMC’s governance and its long-term cyber security preparedness,” he said. “Healthcare organizations must recognize that they are attractive targets and should proactively invest in network segmentation, data backups, and incident response capabilities.”
Healthcare a Top Target
According to the International Council of E-Commerce Consultants (EC-Council), healthcare was the second-most targeted industry in the United States by attackers, behind only manufacturing. According to the organization, almost 93% of healthcare organizations in the country reported attacks in 2024, and that trend continued last year.
They’re attractive targets because they hold so much data that is valuable to both financially motivated attackers and nation-state groups focused on intelligence gathering and espionage, according to John Riggi, senior advisor for cybersecurity and risk to the American Hospital Association.
“The targeted data includes patients’ protected health information (PHI), financial information like credit card and bank account numbers, personally identifying information (PII) such as Social Security numbers, and intellectual property related to medical research and innovation,” Riggi wrote last year. “In fact, stolen health records may sell up to 10 times or more than stolen credit card numbers on the dark web. Unfortunately, the bad news does not stop there for health care organizations — the cost to remediate a breach in health care is almost three times that of other industries — averaging $408 per stolen health care record versus $148 per stolen non-health record.”
Backing Up is Not Enough
Suzu Labs’ Swift said ransomware groups also target organizations’ backup systems, so defenders need to plan their systems with that in mind, building resiliency into them and keeping a copy of backups offline or in immutable storage. They should also be designing their security architecture to protect against high-impact threats like ransomware, with endpoint detection and response (EDR) on all devices, annual penetration tests, and ensure that multifactor authentication (MFA) solutions are phishing-resistant.
Organizations should also perform audits of credentials to ensure strong passwords are being used, run vulnerability scans, and patch to keep systems current.
“Most of all, ensure that the organization has someone with appropriate experience in charge of running the security program, and that they’re given adequate resources for staff and technical tooling,” Swift said.
