Out of the reported healthcare cyber incidents in May, the attack on Ascension stopped many in their tracks. This incident came at a time when many in the industry are still reeling from the Change Healthcare attack, which profoundly affected the healthcare sector, with 94% of hospitals reporting financial repercussions and 74% noting direct impacts on patient care.
These occurrences highlight the serious challenges healthcare organizations face when securing their organizations and patient data.
What happened with Ascension?
On May 9th, the Ascension IT team detected unusual activity on its network. This marked the beginning of a ransomware attack, which was eventually linked to Black Basta and its affiliates.
The cybersecurity incident greatly affected the non-profit health system – one of the largest in the United States with 140 hospitals, 40 senior living facilities, and more than 2,600 care sites in 19 states and the District of Columbia.
It impacted Ascension’s systems and various communication platforms, forcing the organization to activate emergency response protocols. Patients had to be turned away or rescheduled, and hospital staff were left unsure of what to do as patients arrived for tests and appointments.
Doctors and nurses in over a dozen states had to revert to paper records and handwritten treatment orders for two weeks, leading to delays in patient care, long waits in emergency rooms, and increased risks of medication errors due to the lack of digital record access.
According to Ascension’s cybersecurity event update page, the systems impacted include:
- Electronic health records system
- MyChart (patent / provider communication platform)
- Various communication platforms, including phone systems
- Systems used for ordering tests, procedures, and medications
How did Ascension respond?
Ascension was quick to act, taking important steps to navigate the situation and coordinate with various agencies. This approach sped up the recovery process and provided valuable threat data to the rest of healthcare. The steps they took included:
- Disclosing the incident and started incident response (IR) procedures to contain the breach, secure the systems, and start recovery efforts
- Communicating effectively with regular updates to staff, patients, and the public, demonstrating transparency and commitment to patient care
- Collaborating with federal agencies, including the FBI and the Department of Health and Human Services (HHS), the Cybersecurity and Infrastructure Security Agency (CISA), the American Hospital Association, and the Health Information Sharing and Analysis Center (H-ISAC)
- Providing updates on their website
Aftermath of the Ascension attack
Because the ransomware attack resulted in the unauthorized disclosure of patient health information (PHI), including names, dates of birth, patient records, and Social Security numbers, Ascension now faces class action lawsuits.
The suit alleges that Ascension failed to safeguard personal identifying information and PHI which resulted in patients being unable to effectively communicate with their healthcare providers or receive the requisite medical care and attention they needed. In addition, Ascension may also face regulatory fines after the full investigation and report are submitted to the Office for Civil Rights (OCR).
An ounce of prevention
The continued rise and ruthlessness of cyber attacks against healthcare organizations will likely continue. However, much can be done within an organization to minimize the damage if an attack occurs.
For insights into a real-life hospital ransomware event and the knowledge that helped them contain the spread, watch our on-demand webinar.