Ascension Healthcare Suffers Major Cyberattack

Healthcare provider Ascension, which operates 140 hospitals across 19 states, fell victim to a cyberattack that took down multiple essential systems including electronic health records (EHRs), the MyChart platform for patient communication, and certain medication and test-ordering systems.

The organization disclosed the attack on May 8 and said it is actively investigating it with internal and external advisers, prioritizing patient safety amid the disruption.

According to a report in the Detroit Free Press, employees became aware of computer network issues on May 7, which prompted a shutdown of the entire system.

The provider has temporarily paused non-emergency medical procedures and appointments, and some hospitals are diverting emergency medical services. Patients were advised to bring relevant medical information to appointments due to system limitations.

"We are actively supporting our ministries as they continue to provide safe, patient care with established downtime protocols and procedures," a company statement said. "It is expected that we will be utilizing downtime procedures for some time."

The organization has tapped incident response help from Mandiant for investigation and remediation efforts. It is unknown if any patient data was exposed in the attack.

"We are working to fully investigate what information, if any, may have been affected by the situation," Ascension said. "Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines."

Healthcare Suffers Yet Again

Ascension's cyberattack comes on the heels of a February ransomware attack on United Healthcare's Change Healthcare subsidiary, which caused chaos for days with outages across multiple hospitals and facilities.

Mark Manglicmot, senior vice president of security services for Arctic Wolf, says Ascension's cyber incident is a grim reminder that healthcare organizations are an "incredibly hot" target, and attacks on their infrastructure have consequences far beyond a ransom demand.

He points out that healthcare organizations not only hold the keys to troves of personal and confidential information on patients, but they also have mass networks of critical medical technology.

Bad actors holding medical data hostage and turning off medical equipment can directly threaten thousands of lives, and the longer the intrusion persists, the greater the risk. 

"Last year, the median ransomware demand in the healthcare industry was $450,000; although this is a steep ask, it's important to consider that the human impact of a healthcare incident is a far greater lever that threat actors are using to achieve their financial and notoriety goals," he says.

Kurt Osburn, director of risk management and governance at NCC Group, notes how healthcare is an easy target as well.

"Within hospitals, there are so many people and entry points to get information from that it can take a significant effort and cost to secure it all," he says. "No healthcare attacks are surprising, unfortunately. The industry is a priority target for attackers because of the value of the information."

Manglicmot says the top attack methods his firm sees over and over are the exploitation of long-known external facing vulnerabilities and phishing attacks.

"Although these are tried-and-true methods of exploitation, organizations struggle to shore up all the weaknesses here, putting patient health and safety at risk," he says.

He advises that when recovering from an incident, prioritize patching external-facing vulnerabilities and establish a comprehensive top-to-bottom 24x7 security operations capability.

"Without these in place, the risk of a repeat, successful attack is very high," he cautions.

Osburn says healthcare organizations must prioritize cybersecurity and make a more concerted effort to protect patient data privacy and security.

"Don't just accept the risk of being hacked — proactively prevent, detect, and respond to threats," he advises. "Have safeguards in place for storing, accessing, and sharing sensitive personal health information to limit the impact if a breach occurs."