With COVID-19 focusing the nation’s attention on hospitals, they’re also getting attention from another group: cybercriminals.

They see a financial opportunity to line their pockets by attacking hospitals with ransomware, according to cybersecurity experts and federal agencies.

In a ransomware attack, cybercriminals use malware — or malicious software — to lock down an organization’s system until ransom is paid. Nationally, in the last few months, hospitals have become the biggest target for such hacks.

The FBI, the Department of Health and Human Services, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency on Oct. 28 warned about increased ransomware threats to hospitals across the nation, according to The New York Times.

One of the known victims is in the North Bay.

Sonoma Valley Hospital announced on Oct. 22 that its computer system was hacked on Oct. 11. The hospital said its cybersecurity team, outside IT and forensics experts were able to block access and expel the cybercriminals from its system.

“No one did anything wrong, but there are a number of things we can do to improve our security,” CEO Kelly Mather told the Sonoma Valley Health Care District Board of Directors at its Nov. 5 meeting, as reported Nov. 9 by the Sonoma Index Tribune.

Some of those protective measures include requiring longer passwords, implementing a two-factor authentication, and hiring a security company to conduct drills and audits, Mather said, adding security experts told her that these days “you’re always chasing security risks.”

The investigation so far indicates the cybercriminals may have removed a copy of a subset of the hospital’s data, potentially compromising some of its patients’ medical information, though not their financial information.

The “threat actor” is Ryuk, a “splinter group off a larger group in Russia,” Mather said. She noted Ryuk has been making demands of one to two million dollars of other hospitals.

Sonoma Valley Hospital never had any intention of paying ransom and is cooperating with law enforcement, according to Mather and the hospital’s Oct. 30 updated statement.

The cyber criminals, Mather said, published “a lot of large files,” about 75 gigabytes of data, experts told her. Most of what was taken were images dating back to 2009, she said.

The hospital’s electronic health records system was spared from the hack, but with all systems down, it’s had to revert to manually processing results, said Sabrina Kidd, chief medical officer.

Rebuilding the system involves replacing 50 computers, Kidd said, adding there are some 75 different systems within the hospital and about 215 workstations that needed to be put back online.

“I think we’re all feeling a lot more optimistic now,” Mather said.

Check Point, a cybersecurity firm with U.S. headquarters in San Carlos, tracks ransomware attacks against the health care sector. Between September and October alone, the firm reported a 71% spike in such hacks.

Sutter Health, which operates Sutter Santa Rosa Regional Hospital and Novato Community Hospital in the North Bay, said it’s aware of the upsurge among cybercriminal activity, and that its area facilities have not been impacted.

“The recent news of upticks in cyberattacks on hospitals and health care systems is reflective of the increased activity we have seen during the COVID-19 pandemic,” according to a Sutter Health spokesperson. “Sutter Health’s proactive approach to cybersecurity means that we continuously assess the threat landscape and adapt accordingly to prioritize the safety and privacy of our patients, workforce and organization.

“In addition to constantly evolving our protocols and deploying a robust information security infrastructure to defend against ever-changing threats, we regularly conduct employee education campaigns about phishing and other cybercrimes, work closely with government officials to implement industry best practices, and keep our patients informed about protecting their personal information online and off.”

A spokesperson from Kaiser Permanente, which operates medical centers in Santa Rosa and San Rafael, said in an email statement: “We are aware of the threat and are monitoring our systems closely.”

Hospitals are particularly vulnerable to ransomware attacks because they have numerous systems that are open to the internet, said David Trepp, partner in BPM’s Information Technology Audit and Compliance (IT Assurance) Group in Eugene, Oregon.

A hospital typically gives access to employees, providers, patients and visitors, as well as to business associates, vendors and a host of medical specialists, Trepp said.

Financial institutions also are susceptible to ransomware attacks, as are small businesses without the funds to invest in a highly resilient security system.

Banks and credit unions pose a narrower risk because they have a more limited number of vendors, specialists and business associates to communicate with through their systems, Trepp said.

“(Another) reason why health care organizations are such ripe attack targets is that they’re just simply not regulated as heavily as a financial institution,” he said, noting banks and credit unions must undergo annual security examinations through the FDIC, National Credit Union Association or other regulatory body.

Hospitals, however, aren’t required to submit to such annual examinations.

John Riggi, senior advisor for cybersecurity and risk at the American Hospital Association, said there are steps hospitals and health systems can take to protect against ransomware attacks.

“Health care providers should proactively implement certain cybersecurity measures such as ensuring current, air-gapped backups of electronic health records and clinical and nonclinical data, expediting patching of all Internet-facing resources, and test their incident response plans as soon as possible,” Riggi said. “Hospitals should also be prepared to reroute patients to hospitals outside their area if there is a simultaneous regional outage of multiple-hospital IT systems.”