Local Healthcare Systems Hit by Ransomware Attack

The ramifications will be felt for some time.”

Two months ago, operations in several local hospitals, emergency rooms and outpatient clinics in the Virginia Mason Franciscan Health network hit a wall. The electronic health record system was not working. The shutdown would last for nearly two weeks.

The network is a subsidiary of CommonSpirit Health, the nation’s second largest nonprofit health system. Ultimately, CommonSpirit revealed that the cause was a ransomware attack. 

According to Health IT, an online healthcare media publication, a security breach led CommonSpirit to take its electronic health records offline. Facilities across the country were affected, including sites in Nebraska, Iowa, Texas, Michigan and Tennessee. The nature of the breach has not been made public.

Key Peninsula News interviewed several healthcare providers who work at affected hospitals, most of whom requested anonymity. CommonSpirit did not respond to a request for information by KP News, but has posted updates on its website.

When the shutdown at the St. Anthony Hospital emergency room began October 4, the staff was told that EPIC, the electronic health record system, would be taken offline for an unknown duration. Staff immediately shifted to the protocol used for routine downtimes, reverting to paper to record care plans, place orders and track patients. They relied on faxes to send and receive information. Younger staff had not used paper and required on-the-job training.

After four or five days, the systems in the emergency room were pretty well established. “We had reached a plateau and it was just getting it done,” one staff member said.

Those working in the hospital wards described significant disruption. Fax machines could not handle the message load. Procedures were cancelled, delayed or rescheduled. Some patients were transferred to other hospitals. Providers could not review X-rays or results unless they went to the radiology department, where the line extended into the halls. It was nearly impossible to communicate a discharge plan or medication list to a patient’s outpatient doctor.

“Providers from other systems were affected by the cyberattack,” said Jennifer Kriedler-Moss, Peninsula Community Health Services CEO. “They cared for patients who were having problems accessing care and were referred to them from the Franciscan Virginia Mason network. Even though the systems were recovered, it will take some time until all records are entered, and care is again completely re-coordinated. The ramifications will be felt for some time.” 

The CommonSpirit event is not unique. According to a 2018 report produced by a task force including staff from the U.S. Department of Health and Human Services, $6.2 billion was lost in 2016 due to data breaches in the nation’s healthcare system.

Electronic health records have become integral to healthcare over the last two decades. They are how providers record patient care, order tests, view results, and communicate with one another. Patients can use a portal to send messages to their provider, request prescription refills and look up test results. But the very advantages that an interconnected system offers leads to increased vulnerability to cyberattacks.

In a ransomware attack, hackers gain access to sensitive computer networks and demand substantial money to release their control.

The FBI has warned that ransomware hackers target companies with significant time-sensitive financial events. Samantha Liss, a reporter for the online news service Healthcare Dive, noted that the CommonSpirit incident occurred three years following a large merger, and that it was in the middle of a sizeable debt issuance.

In updates on their website in November, CommonSpirit announced that it had hired Daniel Barchi, an executive with a military background, as its chief information officer. He will lead the ongoing response to the cyberattack. Nationwide, most providers had regained access to their systems and the patient portal was functioning, CommonSpirit said.

“To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement,” the organization posted. “We recognize that our stakeholders may have questions about their data, and we continue to conduct a thorough forensics investigation and review of our systems — which, in part, seeks to determine if any data was impacted.”

Exactly what the CommonSpirit breach entailed, how it was resolved, and whether a ransom was paid have not been made public. 

Some reporting is required, however. A federal law passed in March 2022 requires all companies in critical infrastructure sectors, including healthcare, to report cyber incidents within 72 hours and ransom payments within 24 hours. At the state level, companies must inform individuals about a data breach within 45 days and must report to the attorney general’s office within 60 days if more than 500 people are involved.

The common security threats to organizations include email phishing attacks, ransomware attacks, loss or theft of equipment or data, insider and accidental or intentional data loss. Mitigation efforts include email protection systems, network management, incident response, medical device security, and cybersecurity policies.

One take-home lesson, said one IT leader, is for all individuals to take precautions themselves. “Don’t use the same password, consider getting a password protection program, and use dual authentication,” he said.