Microsoft working to help protect IT systems of rural hospitals

MOSES LAKE — Information is valuable in the Information Age, to good actors and bad actors alike. And unlike precious metals or stacks of cash, people sometimes don’t know how valuable information is, or that it can be vulnerable to attack.  

Erin Burchfield of Microsoft Philanthropies said rural hospitals are an example. 

“Healthcare is uniquely targeted because of the value of the data,” she said. 

According to Forbes magazine, health care accounted for about 23% of all data breaches in 2024. Forbes estimates the value of stolen medical records could be as much as $1,000 per record. 

Hospitals, especially rural hospitals, are also targets for ransomware attacks. The nature of the business means health care organizations are more likely to pay the ransom, Forbes said. 

Burchfield said most cybercriminals are more interested in stealing data to ransom it. 

“Ransomware is the number one type of cyberattack that’s facing rural hospitals, and the data that we have shows that the average cost to get that data back is around $4.4 million,” she said. “If they choose not to pay, then they need to rebuild their entire IT system.” 

A complete rebuild is just as expensive, and can affect patient services while a system is under repair, he said. 

“The range (to rebuild) is similar, in terms of what ransomware attackers are charging, for having to rebuild everything,” Burchfield said. 

A report co-written by Burchfield and two fellow employees cited the case of Sky Lakes Medical Center in Klamath Falls, Oregon. The hospital spent an estimated $10 million to rebuild its system after deciding not to pay the ransom.  

Typically, cybercriminals don’t target individual hospitals, she said, but rather conduct a mass attack that hits a lot of systems at once. Criminals also benefit from advances in tech as they conduct their operations. 

“There are now automated tools to conduct ransomware attacks, and there’s an entire industry that’s been created called ransomware as a service, where you can rent tools to do a cyberattack,” she said. “It was sort of mind-blowing to me, when I did more research on this, (seeing) just how pervasive this is.”  

Rural hospitals are more vulnerable to attacks, she said, because they don’t always have the money to keep their information technology up to date. 

“It’s not that cybercriminals are trying to target the rural hospital. It’s that when they do these spray attacks, they get through at rural hospitals because (those hospitals) lack resources,” she said. 

Cybercriminals take advantage of outdated technology, but they also exploit mistakes made by people using the systems they’re attacking. 

“There’s research that shows that 80% of the cyberattacks that do get through are attributable to user error,” she said. “Somebody hasn’t logged out of the system. Somebody clicks on the blue link (in a phishing email). A big issue for a lot of these hospitals is they don’t have the time to put together the basic training guidance.” 

Microsoft Philanthropies has started a program to help rural hospitals, focusing on critical access hospitals. Critical access facilities meet specific federal guidelines to get the CA designation. 

The program includes three hospitals in Grant and Adams counties, Burchfield said, but declined to say which participated specifically in order to not put them at risk of being targeted.  

It offers a security assessment to qualifying hospitals, as well as training in how to avoid errors that might lead to security vulnerabilities. Microsoft also offers IT systems at a reduced cost to qualifying hospitals that include current security programs, and that can be updated.