Cybersecurity incident impacts operations at Ascension hospitals

The news that numerous hospitals in the Ascension network across the country had to shut down their computer systems due to a cybersecurity incident prompted medical staff across the country to make paper charts, dramatically altering medical care for the final day.

The Detroit Free Press reported that a Michigan doctor said he had no access to medical records, labs, radiology or X-rays and no ability to place orders.

“We have to write everything down on paper,” said the doctor. “It’s like the 1980s or 1990s. You go to the x-ray room to look at the x-rays on film, they call the lab and they tell you what the result is.” So it’s a lot more complicated, but we have training for these moments.

Another man in Maryland said his partner, a 69-year-old woman with numerous medical problems, was admitted to Ascension Saint Agnes Hospital in Baltimore last night and that they, too, had all of their medical records prepared on paper. To make matters worse, the hospital doctors were unable to obtain the woman’s medical history from her family doctor, and the hospital doctors were unable to send recent tests conducted at the hospital to the family doctor, making it almost impossible for the doctors to consult and treat her properly.

Ascension, which operates 142 hospitals and 40 senior care facilities nationwide in 19 states and the District of Columbia, is the largest nonprofit Catholic health system in the United States with 2023 revenue of $28.3 billion.

The nonprofit said in a May 9 statement that it discovered unusual activity on “select technology network systems” on May 8 that was believed to be due to an (unspecified) cybersecurity incident.

“At this time, we are continuing to investigate the situation,” Ascension’s statement said. “Our care teams are trained to deal with these types of disruptions and have procedures in place to ensure patient care continues to be safe and disrupted as minimally as possible. A disruption to clinical operations occurred and we continue to assess the impact and duration of the disruption.”

Ascension has engaged Google Mandiant to assist with the investigation and remediation process and has notified appropriate authorities. The statement said they are investigating what information may have been affected and that they will notify those affected if sensitive information has been stolen.

“The Ascension attack following Change Healthcare shows that malicious actors’ threats to attack healthcare are not idle threats,” said Toby Gouker, chief security officer at First Health Advisory and SC Media columnist. “These threats are targeted at the largest and smallest healthcare providers and can even result in threatening emergency room patients trying to find a bed for their medical emergencies.”

Darren Williams, founder and CEO of BlackFog, added that healthcare is consistently in the top three when it comes to ransomware. Williams said the abundance of sensitive data combined with the potential to cause massive disruption made the sector an attractive target for cybercriminals.

“The attack on Ascension Hospitals, coupled with the recent attacks on Change Healthcare, shows us clearly that the healthcare industry is failing to prevent attacks and secure patient data,” Williams said.

“This attack sounds like ransomware that will very quickly revert medical care back to paper documentation,” said John Bambenek, president of Bambenek Consulting. Bambenek said several regional hospital and doctor chains have experienced similar incidents in recent months as several ransomware groups target these types of organizations.

“Some of these organizations are becoming ‘regulars’ of ransomware groups, suggesting that a certain complacency and mentality that there is little that can be done about it has taken hold. “So manage the risk with a combination of insurance, paper charts, etc. With hospital mortality rates increasing, enduring these attacks is becoming increasingly common,” Bambenek said. “Therefore, cyber insurance companies are the only entities that can truly enforce changes, set the terms for policy renewals, or determine what to do after a breach.”