Ascension, one of the largest health systems in the United States, said Thursday that it was struck by a cyberattack that knocked patient record systems offline and forced medical staff to log care on paper, the latest hack to underscore the vulnerability of American’s health-care system to cyber intrusions.
The nonprofit chain said it detected the hack Wednesday and took immediate steps. In the direct aftermath, emergency crews diverted patients to other hospitals while staffers described manual workarounds in interviews.
Electronic patient charts, the core system for the flow of care, were among systems affected, said Ascension, which operates 140 hospitals in 19 states.
In addition, the company said late Thursday that MyChart — a portal for patients to see their records and message providers — was unavailable, along with some phone services and systems for ordering tests, procedures and medications. Some elective procedures and appointments have been delayed, the company said, and it directed patients to bring notes on their symptoms and a list of medications with prescription numbers to appointments.
Advertisement
For several hospitals, Ascension said it has instructed emergency medical services to divert patients to other health-care facilities “to ensure emergency cases are triaged immediately.” The health system doesn’t have a timeline for restoring services, it said.
Earlier in the day, Ascension said it was investigating which records were compromised. “Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines,” it said.
Nurses at Ascension hospitals said the hack disabled a variety of their electronic services, most crucially access to patients’ electronic health records.
Robin Buckner, a nurse at Ascension Saint Agnes Hospital in Baltimore, said she had to talk with doctors by phone or see them in person to get patients’ medical histories before placing intravenous lines. “I’m sure there was a little delay in care,” she said. “There’s no doubt about it.”
Advertisement
At Ascension Seton Medical Center in Austin, staff couldn’t use many of their glucometers — a device that measures blood-sugar levels — because they work by scanning a patient’s wristband to identify them, said Kristine Kittelson, a nurse who works in a postpartum unit.
Now that wristbands are being handwritten, she and her colleagues have had to share just a few glucometers that didn’t rely on the electronic system, she said.
At Ascension Via Christi St. Joseph in Wichita, Carol Samsel noticed things were off Wednesday morning when she couldn’t order food for patients and the pager and emergency-code system weren’t working as usual.
Charting patient care on paper makes everything take longer, but “our patients are being take care of and are safe,” said Samsel, who like Kittelson and Bucker, is a member of the union National Nurses United.
Advertisement
In Pensacola, Fla., Ascension Sacred Heart asked first responders to take patients to other area hospitals Wednesday afternoon, a request known as a “bypass,” said Davis Wood, spokesperson for Escambia County’s public-safety services. The bypass has since been lifted, Wood said Thursday, and emergency responders have resumed taking patients to the hospital.
Health industry security experts said the attack bore similarities to past breaches by Black Basta, a successor to the Russian Conti gang that is notorious for exacting ransom and then demanding more money not to publish sensitive data, a technique known as double extortion.
Ascension didn’t respond to emailed questions or say whether the attack involved ransomware.
The Catholic-affiliated Ascension, among the five largest networks in the United States by number of hospitals, is headquartered in St. Louis. It reported total revenue of $28.3 billion in 2023.
Advertisement
The hack comes as government and health-care officials focus renewed attention to cybersecurity in the wake of the hacking of Change Healthcare, a subsidiary of UnitedHealth Group that is responsible for processing a vast amount of medical claims nationwide.
The cyberattack and ensuing outage disrupted operations across the country’s pharmacies, hospitals and medical practices, preventing them from getting paid and leaving consumers unable to use coupons they rely on to afford prescription drugs.
UnitedHealth Group’s chief executive, Andrew Witty, disclosed last month in a Senate hearing that it paid $22 million in bitcoin to hackers who targeted subsidiary Change Healthcare and shut down medical billing systems across the country.
The vulnerability and UnitedHealth’s response came under intense criticism from lawmakers. In that hack, the criminals accessed computers using compromised credentials, entering through a system that did not require multifactor authentication.
Advertisement
Health-care providers largely have been able to blunt direct impacts to patient care over the course of the Change Healthcare hack, even as they’ve taken out loans and resorted to filing medical claims on paper. The Ascension hack, though smaller in scope, impacted systems with a direct bearing on care.
Ascension said it had turned to a third-party contractor, Mandiant, to help it investigate and work on restoring service. It said it has notified other businesses that interact with its computers so that they can take steps to protect their own systems, which often means disconnecting.
“Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible,” Ascension said.
The Department of Health and Human Services “is aware of a cyber incident involving Ascension Health and is in communication with Ascension Leadership to understand and assess their efforts to minimize any disruptions to patient care,” HHS spokesperson Samira Burns said in a statement. Burns added that the incident underscores “the urgency of strengthening cybersecurity resiliency” in health care, pointing to the agency’s voluntary cybersecurity goals as a guide to how organizations can protect themselves.
Advertisement
But the voluntary nature of security measures is being debated as the numbers of incidents increase.
Hackers in recent years increasingly have targeted U.S. medical systems with ransomware, which involves infiltrating an organization’s network and using malicious code to lock up its data. The FBI’s internet Crime Complaint Center received reports of 249 ransomware attacks on health-care infrastructure last year, the most of any sector it tracked, according to an annual summary released in March.
More ransomware attackers than in previous years are devoting resources to developing sophisticated attacks against larger targets, in hopes of obtaining a bigger ransom, government and cybersecurity officials said. This includes spending more time once inside a target to steal data, instead of just encrypting it.
Advertisement
The average “dwell time” inside ransomware victims has increased from two days to six, security firm Mandiant said this week at an annual forum in San Francisco on cybersecurity, the RSA Conference. Because so many targets pay, the gangs have more to invest in attacks, said Robert Lipovsky, principal threat researcher at security firm ESET.
“It is an uneven fight,” Lipovsky said in an interview Thursday, though the extent of the impact varies depending on the quality of hospitals’ data backups and how segmented their systems are. The more separation, the better, experts said.
“It has to do with the state of cyber resilience that the hospital is in,” Lipovsky said. “At many, it is not very good.”
The White House is actively developing “mandatory minimum” cybersecurity standards for hospitals, deputy national security adviser Anne Neuberger said at the conference. She said officials had been urging multiple sectors to adopt multifactor authentication instead of relying on passwords, comparing some hospital security failures to car owners leaving keys on the seat with the door unlocked.
Advertisement
Megan Stifel, chief strategy officer at the nonprofit Institute for Security and Technology, said she agreed with Neuberger that voluntary codes were not enough. “We chose not to take a regulatory approach, and we’re now paying the price,” she said in an interview.
The American Hospital Association has said it supports voluntary cybersecurity goals but criticized mandatory measures. The organization says requirements like those proposed by the Biden administration would penalize hospitals that don’t meet certain standards, even when the vulnerability comes from third-party technologies.
ncG1vNJzZmivp6x7uK3SoaCnn6Sku7G70q1lnKedZK%2B2v8innKyrX2d9c4COaWxoaGlksLquxKuYrayRmLhutMCcomagn6i9qsDApWSaq5Oau7S1zqdm