Ambulance diverted. Cancer treatment is delayed. Offline electronic health records. These are just some of the ripple effects of an apparent cyberattack on a major nonprofit health system that disrupted operations across the US.
While CommonSpirit Health confirmed it encountered an “IT security issue” earlier this week, the company remained a mother when pressed to provide more details about the scope of the attack. The huge health system has 140 hospitals in 21 states. As of Thursday, it was not known how many of the 1,000 care sites serving 20 million Americans were affected.
Despite lingering questions, the case highlights growing concerns around ransomware attacks on healthcare systems with patient care at stake.
In Tacoma, Washington, Mark Kellogg told KING-TV that his wife, Kathy, had been scheduled to have a cancerous tumor removed on her tongue on Monday, but the procedure was delayed several days because of the cyberattack. Virginia Mason Franciscan Health’s parent company is CommonSpirit Health.
“Everything we do today is on a computer, and without it, you are going back to the Stone Age to write on a tablet,” says Kellogg.
In Iowa, the Des Moines Register reports that the incident forced five ambulances to be diverted from the city’s MercyOne Medical Center emergency department to other medical facilities.
The incident forced both MercyOne and VMFH to use some IT systems offline – including the patient’s electronic health records – as a precaution.
Not a Modern Healthcare subscriber? Sign up today.
Brett Callow, a threat analyst with cybersecurity provider Emsisoft, said the incident could be “the most significant attack on the healthcare sector to date” if all hospitals CommonSpirit and other facilities are affected.
Emsisoft tracked at least 15 healthcare systems in the US affected by ransomware this year, managing more than 60 hospitals. Callow said data was stolen in 12 of the 15 cases, adding that those cases were almost certainly missing because some ransomware attacks were not widely reported.
Callow said one of the largest known attacks in the healthcare sector occurred in September 2020 when a ransomware attack hit all 250 Universal-owned healthcare facilities. Health Services.
CommonSpirit’s crashes can go beyond that, depending on how many of its facilities are hit. That means the company faces huge financial costs to weather the crash and recover.
Callow cites over $100 million in damages reported by Scripps Health related to a 2021 ransomware attack that affected five of its hospitals in California as an example.
Asked for more information about the incident and its impact on Thursday, a spokesperson for CommonSpirit said the health system was unable to provide further details.
The most disturbing effect of any attack on the healthcare industry is on patients, says Callow.
“I’ve seen reports that at least one of the affected hospitals had to redirect ambulances to other facilities, and delays in providing the care they need to people clearly have could put the patient’s life at risk,” he said. “Additionally, these incidents can have a long-term impact on patient outcomes – such as delaying treatment.”
In 2020, the FBI and other federal agencies warned that they had credible information that cybercriminals could unleash a wave of extortion attacks against hospitals and care providers. health care of the United States.
That’s because ransomware criminals increasingly steal data from their targets before encrypting the network, using it to extort money. They typically seed malware weeks before activating it, waiting for moments when they believe they can extract the highest payouts.
Healthcare is classified by the US government as one of 16 critical infrastructure sectors. Healthcare providers are considered ripe targets for hackers.
If patient data is accessed, healthcare providers are required by law to notify the Department of Health and Human Services.
Download Modern Healthcare’s app to stay up to date with industry news.
