CHICAGO — Ambulances diverted. Delay in therapy for cancer. Offline electronic health records. These are some of the rippling effects of what looks to be a cyberattack on a major nonprofit health system, which affected operations across the United States.
While CommonSpirit Health acknowledged a “IT security issue” earlier this week, it has stayed silent on the nature of the incident in response to inquiries. The colossal health care system contains 140 hospitals in 21 states. As of Thursday, it is still unknown how many of the organization’s 1,000 care locations, which serve 20 million Americans, were compromised.
In spite of unanswered questions, the episode highlights the growing worry regarding ransomware assaults on healthcare institutions, where patient care is at risk.
Mark Kellogg told KING-TV in Tacoma, Washington, that his wife Kathy was set to have a malignant tumor removed from her tongue on Monday, but the treatment was delayed several days due to the cyberattack. The parent corporation of Virginia Mason Franciscan Health is CommonSpirit Health.
Kellogg stated, “Everything we do today is done on a computer, and without it we would be back in the stone period writing on tablets.”
In Iowa, the Des Moines Register reported that the event diverted five ambulances from the city’s MercyOne Medical Center’s emergency department to other medical institutions.
Both MercyOne and VMFH were compelled to take certain IT systems offline as a precaution, including electronic health records for patients.
Brett Callow, a threat analyst at cybersecurity vendor Emsisoft, stated that if all CommonSpirit hospitals and other institutions were affected, the incident would be “the most catastrophic attack on the healthcare sector to date.”
This year, Emsisoft has identified at least 15 healthcare systems in the United States that have been compromised by ransomware and oversee over 60 hospitals. Data was stolen in 12 of the 15 incidents, according to Callow, who added that the number is probably certainly underreported because some ransomware assaults are not generally reported.
According to Callow, one of the largest documented healthcare assaults occurred in September 2020, when ransomware infected all 250 healthcare facilities controlled by Universal Health Services.
Depending on how many of CommonSpirit’s facilities were affected, the incident might reach that amount. This could mean that the organization will incur substantial costs to recover from the disaster.
Callow highlighted Scripps Health’s loss of more than $100 million due to a ransomware attack in 2021 that affected its five California facilities as an example.
Thursday, a spokesman for CommonSpirit stated that the health system was unable to share any additional information regarding the occurrence and its effects.
Callow stated that the most concerning effect of any serious attack on healthcare is on patients.
“I’ve heard reports that at least one of the affected hospitals had to redirect ambulances to other facilities, and that delay in getting patients the care they need poses a clear risk to their lives,” he said. Beyond that, these episodes can have long-lasting effects on patient outcomes, such as postponing therapy.
In 2020, the FBI and other federal agencies warned that cybercriminals could launch a wave of data-scrambling extortion efforts against hospitals and healthcare institutions in the United States.
Because ransomware attackers are increasingly taking data from their targets prior to encrypting networks and utilizing it for blackmail, this is the case. Typically, they plant malware weeks before activating it, waiting for the moment when they believe they can collect the maximum fees.
The U.S. government classifies healthcare as one of sixteen vital infrastructure sectors. Hackers view healthcare practitioners as ripe targets.
The law requires healthcare providers to notify the Department of Health and Human Services if patient information is accessed.