Anneka Gupta, Chief Product Officer at Rubrik Security Software Firm. However, with proper plans in place it needn’t take so long.
Chicago-based Health Alliance International was targeted in October by cyberattack, and as a result has had to postpone care across multiple regions for patients in its system. How much will be lost due to insurance recoveries is still unknown.
What Happened?
Recently, one of the nation’s second-largest nonprofit health systems was hit with ransomware that knocked parts of its IT systems offline for two weeks – leaving doctors and patients unable to access electronic medical records, surgeries postponed, prescriptions delayed and appointments canceled.
CommonSpirit, however, kept patient safety as the top priority by posting updates on its website and social media pages. Furthermore, CommonSpirit quickly responded to the incident by notifying law enforcement and hiring external forensics experts as per an internal document reviewed by FierceHealthcare; additionally they informed insurers and revised contracts in order to make sure they would be covered from cyberattacks in future.
CommonSpirit Health Faces 2 Proposed Class Actions Post-Breach). While the incident impacted hospitals and clinics across the country, its effects weren’t felt equally. Some hospitals took longer to get their systems online while other had different impacts on patients they serve. Although no total figure has been disclosed by CommonSpirit, a lawsuit filed on December 29 alleges that more than 624,000 individuals’ private information was compromised (see CommonSpirit Health Facing 2 Proposed Class Actions Post-Breach).
“Every time there’s chaos or uncertainty,” according to Anneka Gupta, Chief Product Officer for Rubrik (which provides data security and compliance management), attacks are likely.
CommonSpirit’s IT team quickly identified abnormal activity on its network and quickly took measures to eliminate a potential threat, according to an internal report from the health system. A hacker gained entry between September 16 and October 3, 2022 but did not gain any direct access to any EHRs – according to this analysis, all systems accessed were closed off to contain this potential breach of security.
Although more organizations are creating incident response plans, Manley notes that many don’t cover all areas a hospital might need during an attack. He recommends plans with cross-functional teams comprised of IT, cybersecurity and legal personnel as well as plans for running forensics, recovery operations as well as public relations support for executive management support. In the aftermath of CommonSpirit incident, its response plan was immediately put into action with short and honest messages posted both days.
What We Learned
Health systems are vulnerable to cyber attacks such as phishing and ransomware, with potentially disastrous repercussions such as lost productivity, downtime, fines and reputational harm if measures are not taken to secure data. If they do not take measures to secure it then this can have catastrophic results – lost productivity, downtime fines and irreparable reputational harm can occur as a result.
CommonSpirit’s incident began with a phishing attack and eventually resulted in malware which encrypted files until victims paid ransom to unlock them. Once attacked, CommonSpirit took its IT systems offline before notifying law enforcement and its forensics team for investigation of this matter.
CommonSpirit was hit hard by an attack affecting over 700 care sites and 142 hospitals in 21 states, but without impacting patients’ medical records directly. Rescheduling appointments had to take place and certain facilities even closed for days due to this disruption.
Financial reports for the system indicated losses in normalized net patient and premium revenue due to the cybersecurity incident were lower than anticipated.
As well as experiencing revenue losses, the organization had additional expenses related to responding to the incident, such as hiring an external cybersecurity firm for $1 Million for investigation and recovery efforts, plus incurring $1.4 Million in costs associated with rescheduling appointments.
On December 1st, CommonSpirit completed breach notification to individuals whose files had been compromised. Affected files contained names, addresses, phone numbers and dates of birth as well as family member and caregiver information; these files did not include medical records or insurance ID numbers.
PHI can be highly valuable to cybercriminals, and ransomware offers them a simple means of accessing it. Once they possess this data they can use it in various ways such as demanding a ransom payment or selling it on the black market.
Experts agree that being prepared is key to mitigating the effects of ransomware attacks. That means developing a plan with training, simulations and strategic backup. Anneka Gupta of security software company Rubrik emphasizes this point as she stresses it’s vital for health systems to have adequate resources such as funding a response team and purchasing firewalls in case a cyberattack does take place.
Recommendations
CommonSpirit Health’s recent cyber attack serves as yet another reminder that healthcare systems remain among the most susceptible organizations. Yet this event also offers many valuable lessons you can apply to enhance the security measures at your own organization.
Chicago-based Health System operates 140 hospitals and over 1,000 care sites spread out across 21 states, such as cancer clinics and stroke centers. Furthermore, this comprehensive network oversees numerous medical wellness initiatives for both patients and community members alike.
Reports indicate that last month, the company experienced a ransomware cyberattack which disabled all its IT systems including EHRs. As a result, doctors and nurses could no longer access patients’ digital medical records which put patient safety at risk; doctors may no longer be able to detect if patients are taking medications which interact negatively or any allergies which could lead to dangerous side effects for treatment.
Hackers encrypt data and block access to systems at hospitals until they pay a decryption key fee; this forms of blackmail puts pressure on hospitals to pay up or risk losing sensitive information and possibly being exposed.
As well as financial losses, healthcare systems could face regulatory and legal actions following any data breach. Different states have laws in place to protect patient privacy that could lead to fines being levied against affected providers; similarly, affected patients could file lawsuits as a result.
Health systems should ensure their employees are informed about the risks, as well as trained in cyber security best practices. Third-party experts may also provide valuable support, helping identify suspicious activity and stop its spread before it escalates further.
Finaly, health systems must ensure they have sufficient cyber liability insurance policies in the event of an attack. While these policies can be expensive, failing to do so could leave them open to massive ransomware attacks similar to CommonSpirit’s that could quickly bankrupt them.
Conclusions
An October 2022 ransomware attack against a healthcare system caused IT and EHR downtime, disrupting patient care and forcing appointments to be cancelled; moreover, this attack exposed records belonging to 624,000.
As this incident continues to evolve, more details have emerged of what transpired. Attackers were believed to have utilized a phishing campaign that sent employees malicious links through emails which when clicked would install malware onto their systems and begin encrypting files until ransom payments had been made.
The health system reported that attackers gained access to file servers between September 16 and October 3, and gained access to files containing names, addresses, dates of birth, medical diagnoses and treatments, billing and claims data, as well as some Social Security numbers in certain instances. Some systems experienced longer outages than others; when this occurred the company contacted patients directly so that they knew if any information may have been affected.
The health system announced during an earnings call that they now estimate the losses from this incident will reach $160 million, including lost revenues, remediation costs and other business expenses. This estimate of loss is $10 million more than was released in their prior quarterly report issued February 2023.
Though it remains uncertain if a health system will have to pay fines or provide credit monitoring services for those whose data was exposed, secondary costs associated with an attack will likely add significant expense. Furthermore, any cyberattack will damage a health system’s reputation and reputational standing may suffer significantly as a result.
While it remains unknown what triggered the attack, cybersecurity experts advise healthcare organizations to devise a defense against potential attacks. Anneka Gupta, chief product officer at cybersecurity software provider Rubrik suggests the best way of doing that is focusing on people, processes and technology: training staff against phishing attacks; running simulations and strategically backing up data; as well as keeping up-to-date on patches for operating systems and applications.
