Three hospitals in Alabama were closed to all but critical patients Wednesday after a ransomware attack crippled their computer systems.

The form of ransomware used in the attack on the hospitals, all run by a nonprofit firm called DCH Health System, is not currently known.

“A criminal is limiting our ability to use our computer systems in exchange for an as-yet unknown payment,” DCH said in a statement today. “Our hospitals have implemented our emergency procedures to ensure safe and efficient operations in the event technology dependent on computers is not available.”

The news came days after seven public hospitals in the Australian state of Victoria were also struck with ransomware. While the Victorian hospitals were not forced to turn away patients, patient records, booking and management systems were affected with some hospitals forced to revert to manual systems.

Whether the attacks in Alabama and Australia are linked is unknown. Health care providers have been targeted by ransomware attacks before, including an attack on hospitals in Ohio and West Virginia in November and hundreds of dentists in August.

J.J. Thompson, senior director of managed threat response at security firm Sophos plc, told SiliconANGLE that healthcare boards need to act swiftly. “The oath ‘do no harm’ takes on significant meaning when we see patients turned away by those they trust to help them in their time of need,” he said.

The unfortunate truth, he added, is that these hospitals aren’t alone.

“Hospitals and other types of healthcare organizations large and small are increasingly being targeted by stealthy cyber attackers with aggressive ransomware that brings the daily course of business to a standstill,” he said. “Ransomware is one of the most widespread and damaging threats. Unlike municipalities or financial institutions that have also fallen victim, however, the risks in healthcare are more significant with patient lives on the line.”

Oussama El-Hilali, chief technology officer at data protection company Arcserve LLC, called on hospitals to do better, saying that not having patient data safely backed up and easily recoverable in the event of a ransomware attack can have life-or-death consequences.

“To avoid situations like the one the DCH hospital system in Alabama found itself in, IT teams need to update their disaster recovery strategies to ensure appropriate retention policies and number of copies of patient data are accessible no matter the circumstances by investing in technologies that provide continuous availability to prevent downtime altogether,” El-Hilali said.

In fact, he added, “the healthcare industry as a whole must take a more proactive approach to DR planning, addressing security vulnerabilities from legacy IT and improving cybersecurity resilience. If they don’t, we’ll see more hospital systems dealing with the issues currently faced by the DCH, as hackers know these organizations are vulnerable and willing to pay ransoms to restore their ability to provide patient care.”

Image: christiaancolen/Flickr