One of the largest nonprofit health systems in the country experienced a ransomware cyberattack last week.
Ascension announced the incident on May 9, explaining that they “detected unusual activity on select technology network systems” and later discovered it was due to “a cybersecurity incident.” Ascension hired a third-party cybersecurity team to investigate and help restore operations. Yesterday, they confirmed it was ransomware.
Headquartered in St. Louis, Ascension operates 140 hospitals and has 35,000 affiliated providers serving communities in 19 states and the District of Columbia; it employs more than 134,000 people.
Continuity of Care is Interrupted
Since the announcement seven days ago, Ascension has been providing regular updates, emphasizing the importance of maintaining patient care services and restoring systems safely. However, despite its best efforts, Ascension revealed yesterday that the cyberattack has directly and significantly impacted patient care. The situation is serious, with several of its hospitals currently unable to accept emergency medical patients. Measures are in place to ensure emergency cases are triaged immediately, but the disruption to patient care is undeniable.
Ascension has also paused some elective procedures, appointments, and tests as it responds to the incident. Ascension’s providers have reverted to downtime procedures because its EHR systems are unavailable. Downtime procedures include moving to paper records and using manual processes for dispensing medication, contacting patients, and ordering diagnostic tests.
Ascension is Providing Full Communication
Ascension’s communications are more complete than most we’ve seen from providers experiencing a cybersecurity incident. Its website updates include detailed information about different facilities in 11 regions. The website also includes a Frequently Asked Questions section, which answers some of the most common questions from patients and their families.
Ascension has not disclosed whether any protected health information (PHI) was compromised but promised to notify and support any individuals affected “in accordance with all relevant regulatory and legal guidelines.” We’ll look for announcements complying with the HIPAA Breach Notification rule.
As of today, Ascension cannot say when their systems will be fully restored, which is common this soon after a cyberattack. Restoration is a long and complicated process.
Healthcare Cybersecurity in Crisis
The cyberattack on Ascension follows the massive disruption caused by the February ransomware attack on UnitedHealth Group’s Change Healthcare.
The fallout from that breach continues to wreak havoc on healthcare organizations nationwide, and the affected patients haven’t been notified yet. Change acknowledged that the ALPHV/BlackCat ransomware group was responsible.
UnitedHealth CEO Andrew Witty testified to Congress on May 1 and admitted that “maybe a third” of Americans’ protected health information and personally identifiable information was stolen in the attack. Witty testified that the cybercriminals were able to use compromised credentials to access a Change Healthcare Citrix portal remotely on February 12. The ransomware hit nine days later.
Witty admitted that UHG paid the cybercriminals around $22 million as ransom, knowing there was no guarantee that the breached data would be secure.
UnitedHealth Group has been roundly criticized for lacking adequate cybersecurity defenses. It lacked multi-factor authentication, for example. UHG had yet to implement the December 2023 joint Cybersecurity Advisory (CSA) recommendations about the ALPHV/BlackCat ransomware threat to healthcare. The CSA later updated its Advisory after the Change Healthcare incident.
HIPAA Security Rule Protects Against Ransomware
Organizations that follow the HIPAA Security Rule are much better protected against cyber attacks and ransomware. The CSA Advisories, FBI guidance, and HHS advice all mirror the safeguards required by HIPAA.
An annual Risk Analysis and ongoing Risk Management throughout the year keep cybersecurity defenses solid and up-to-date.
All covered entities, third-party vendors, and business associates must follow the latest guidance and manage risks to protect patient privacy.
Compliance is more critical than ever.