As CommonSpirit Situation Continues Forward, Cyber Expert Calls the Incident an ‘Unfortunate Disaster’
Chicago-based CommonSpirit Health, which has 140 hospitals across 21 states and more than 1,000 facilities, has been experiencing an “IT security issue," as mainstream media outlets have been reporting. Journalists began reporting the incident on Monday, Oct. 3, and updated information categorizes the incident as a ransomware attack. CommonSpirit is the second-largest nonprofit health system in the U.S.
According to an Oct. 6 article by Jessica Lyons Hardcastle from The Register, CommonSpirit had a short statement on its website saying it took some systems offline, including “electronic health record (EHR) and other systems.” As of Oct. 13, the statement was updated saying that “We have been managing a response to a cyberattack that has impacted some of our facilities. Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees, and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created.”
Further, “As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation, and ensure continuity of care. Our facilities are following existing protocols, which includes taking certain systems offline, such as electronic health records and patient portals. In addition, we are taking steps to mitigate the disruption and maintain continuity of care. To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement.”
The statement adds that CommonSpirit is continuing to conduct a forensics investigation and review of their systems and will ultimately determine if there were any data impacts as part of that process.
“There is no impact to clinic, patient care and associated systems at Dignity Health, Virginia Mason Medical Center, TriHealth or Centura Health facilities,” the statement notes. “For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible.”
In an Oct. 13 article by Debbie Cockrell for The News Tribune, Cockrell reports that “Operations at a VMFH hospital in Kitsap County have become especially difficult, with staff citing the ongoing IT issue, high patient demand and not enough staff. The Kitsap Sun reported that Saturday night [Oct. 8] the charge nurse in the emergency room at St. Michael Medical Center in Silverdale resorted to calling 911 for help in handling its backup of patients.”
An Oct. 13 article by Elisha Meyer for Bainbridge Island Review elaborated on the effect of the ransomware attack at St. Michael. Meyer reports that "St. Michael started experiencing problems Oct. 3 when it could not access the medical history of patients on its computer systems. It also caused issues with viewing x-ray and MRI results, among other complications. MyChart was also not available to patients who wanted to look at their own medical records."
Moreover, "The outage has led to mass cancellations of appointments and delays in critical medical procedures in Kitsap County. Without access to computer records, St. Anthony and other hospitals began using physical paper records and prescription bottles in an attempt to continue service to customers."
"St. Michael’s outage, combined with staffing shortages, led to members of Central Kitsap Fire & Rescue being sent to assist with work in the emergency room Oct. 8," Meyer comments.
Healthcare Innovation spoke with cybersecurity expert and former Stanford Children's Health CISO Chad Wilson, to get his perspective on the incident. Wilson says his initial thought is that “It’s a disaster. And an unfortunate one. As a CISO, this is something you don’t want to see happen”
Wilson adds that “A larger organization [like CommonSpirit] has more patients and families to take care of vs. a smaller organization.” He says that an incident like this at a larger organization also impacts more staff (than a smaller organization) that now have to do their jobs without the tools are resources they are accustomed to.
Yet, regardless of size, Wilson says that “It's not easy for anyone to recover from ransomware that hit its system. A lot of systems have to be validated back into service. I think the small organizations are exposed, quite honestly, some the difference [between large and small organizations] is not being as far along in security. And it's a challenge for smaller organizations to meet the same security standards as larger ones.”
“In this country, we don’t incentivize securing medical records,” he comments. “Everyone is not adhering to the same standard in the country and that's a legal challenge. We might hear about an incident at one large health care organization today. And tomorrow, it might be a smaller one that you don't hear about, but these incidents still have tremendous impact.”
In conclusion, Wilson says that a top challenge during an incident like this is the flow of information internally. “This is the information age,” Wilson notes. “Everyone wants updates every hour, and these things take time during an incident.”