Oct 18, 2022 - Health

Health system ransomware attack highlights patients' vulnerability

Medical red cross made up of padlocks.

Illustration: Megan Robinson/Axios

A crippling ransomware attack on the second-largest U.S. nonprofit health system is showing how much patients can be left in the dark when critical health care infrastructure goes down.

Why it matters: The attack earlier this month on CommonSpirit Health, which has 142 hospitals in 21 states, left IT locked, delayed surgeries and caused widespread disruptions in patient care.

What they're saying: "We don't know what was disrupted," Israel Barak, chief information security officer of Boston-based Cybereason, told Axios.

  • For instance, patients don't know what sort of potential disruptions this has caused to certain services or procedures and they have no idea the extent their personal information might have been stolen, Barak said.
  • "As consumers of these services we don't have a way to control our destiny or manage our risk," Barak said.

This latest attack comes as the Biden administration examines how to beef up minimum cybersecurity standards within critical infrastructure like health care, the Washington Post reports.

  • There's been a nearly 50% increase in interactive intrusion campaigns this year, with some of the most notable increases against health institutions, per a recent report from Cybersecurity firm Crowdstrike.
  • In 2021, 45 million individuals were affected by healthcare attacks, up from 34 million in 2020, Fierce Healthcare reported.
  • At least 68 healthcare providers in the U.S. were impacted by ransomware in 2021, including multiple hospitals and multi-hospital health systems with a total of 1,203 sites between them, according to cybersecurity firm Emisoft.

State of play: Health systems remain uniquely vulnerable to threats, experts say.

  • They're highly complex, relying on vulnerable supply chains and connections with numerous small clinics and vendors, Barak said.
  • With lives on the line, hospitals have more to lose if they don't pay up.
  • But health systems also have fewer incentives to truly prioritize their cybersecurity, said Grant Elliott, CEO of Arlington, Virginia-based risk management platform Ostendio.
  • "There's a distinct lack of enforcement within health care generally and, as a result, there's not a huge amount of consequence to these organizations for not building an effective security program," Elliott said.
  • One 2020 study by CybelAngel found more than 45 million X-rays, CT scans and other medical images could be accessed on unprotected servers, unencrypted and without password protection.

Zoom in: CommonSpirit confirmed in a statement Monday it is still working to bring systems back online.

  • "As previously shared, we took immediate steps to protect our systems, contain the incident, begin an investigation, and maintain continuity of care," CommonSpirit said in an emailed statement.
  • "It will take some time before we can restore full functionality and we continue work to bring our systems up as quickly and safely as we can." They said they could not provide additional information because of an ongoing investigation.
  • A page on their website said there was "no impact to clinic, patient care and associated systems at Dignity Health, Virginia Mason Medical Center, TriHealth or Centura Health facilities."

Be smart: There's no consensus in the industry about the best way to handle a ransomware attack and while there are reporting requirements and it can also take health systems a while to fully establish what information has been compromised, Elliott said.

  • "Especially when you have something like a ransomware breach," he said. "Is this particular breach, they've simply frozen the assets and the organization can no longer access information which is its own concern? Or has the third party actor actually gained access to that information and downloaded it and threatening to release that information?"
  • But, he said, the challenge with a lot of the federal health care regulations for hospitals when it comes to data breaches is they're not specific enough.

The bottom line: While the biggest concern from the rising threat of ransomware attacks is the impact on patient safety, the speed and specificity in which hospitals communicate the threat to patients is also critical.

  • "There's a lot more we can do as an industry to regulate how healthcare data is managed," Barak said.

Editor’s note: This story has been corrected to properly identify the chief information security officer of Boston-based Cybereason as Israel Barak.

Go deeper