Illinois Hospital Closure Showcases Ransomwares Existential Threat

St. Margarets Health is shutting down due to a 2021 ransomware attack and other factors. Its an object lesson for how small and rural healthcare facilities face grave cyber-risk when extortionists come calling.

An Illinois hospitals decision to cease operations later this week at least partly because of a 2021 ransomware attack that crippled operations for months is a stark reminder of the sometimes-existential threat that online extortion campaigns can pose.
Thats especially true for resource-strapped small and rural hospitals.
St. Margarets Health (SMH) will
permanently close
its hospitals, clinics, and other facilities at Spring Valley and Peru, Ill. this Friday, June 16, after serving the community for 120 years. Multiple factors led to the decision, including unprecedented expenses tied to the COVID-19 pandemic, low patient volumes tied to social-distancing mandates, and staff shortages that forced the health system to have to rely on temporary staffing agencies.
But the February 2021 ransomware attack on its systems at Spring Valley had a big part to play; they catastrophically impacted the hospitals ability to collect payments from insurers for services rendered, and the attack forced a shutdown of the hospitals IT network, email systems, its electronic medical records (EMR) portal, and other Web operations.
SMH vice president of quality and community services Linda Burt says the attack lasted four months, during which employees had no access to the IT system, including email and the EMR system.
We had to resort to paper for medical records. It took many months, and in some service lines, almost a year to get back online and able to enter any charges or send out claims, Burt says. Many of the insurance plans have timely filing clauses which, if not done, they will not pay. So, no claims were being sent out and no payment was coming in.
SMH is the latest to make the list that security analyst and researcher Adrian Sanabria maintains of organizations that were
forced out of business because of a cyberattack
over the past two decades. The list currently comprises 24 organizations — many of them small — across multiple sectors. Among the names in the list is payment processing firm CardSystems, which closed in 2005 following a data breach that exposed sensitive data associated with some 40 million credit cards; security firm HBGary which went kaput in 2011 after hackers broke into its systems and leaked information about the company; and Brookside ENT and Hearing Center which shut down in 2019 following a ransomware attack. Significantly, 10 of the cyberattacks on Sanabrias list are ransomware-related and all of those happened after 2014, when ransomware really started ramping up.
Joshua Corman, former CISA chief strategist and current vice president of cyber safety strategy at Claroty, expects what happened at SMH will happen to other hospitals, especially smaller ones and those located in rural areas. Corman, who was part of a CISA COVID-19 task force that looked into the potential correlation between excess hospital deaths and ransomware, says the hospitals most expected to close are those that are situated the farthest away from other hospitals and alternative care options.
Small and rural hospitals already face significant financial strains from the last few years of [the] pandemic and very few have much cash-on-hand reserves for unplanned disruptions, Corman says. Ransomware attacks can disrupt operations for weeks and months and can, therefore, represent the straw that breaks the camels back.
A couple of factors might be exacerbating the situation. Often many small, midsized, and rural hospitals lack a full-time security staff. They also have a harder time getting cyber insurance, and when they do, it can cost more for less coverage.
Congress and the White House are exploring relief, and its long overdue, Corman says.
In the meantime, policy-makers and industry stakeholders need to find a way to raise the bar on cyber-hygiene in material ways, and provide financial assistance for smaller, target-rich, but cyber-poor entities. Ransomware attacks represent a new, man-made, but material hazard deserving of Board-level attention, Corman says. This hazard could drive smaller and rural hospitals into closure.
Mike Hamilton, former CISO for the City of Seattle and currently in the same role at healthcare cybersecurity firm Critical Insight, says its unclear if the attack on SMH was opportunistic or targeted in nature. However, even
healthcare entities
like SMH, which likely dont have the ability to pay a ransom even if they wanted to, can become a target if the threat actor knows it carries cyber insurance, Hamilton says. Knowing that organizations have cyber insurance allows threat actors to set the extortion demand just under the threshold for the cost of rebuild and recovery, he notes.
Like Corman, Hamilton too views a cyberattack that disrupts operations as existential for healthcare providers that are already operating on thin margins.
Corman advises
administrators and top management
at smaller and rural healthcare systems to advocate for assistance from state and federal authorities. To aid in minimizing risk, these systems should engage their regional CISA and HHS resources along with the FBI, Corman notes. They can also focus on prioritizing patching of CISAs
Known Exploited Vulnerabilities
and take advantage of some of the free cybersecurity tools that CISA offers such as
Cyber Hygiene Scanning
(CyHy) and Cyber Essentials.
Hamilton says healthcare IT teams need to limit employee access to the Internet from a healthcare environment as much as possible. Use the analogy of a control room that operates a dam that generates power — no Internet access, period, he says. Most attacks start with user action and limiting that access can have an outsized effect on prevention.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Illinois Hospital Closure Showcases Ransomwares Existential Threat