CHICAGO (AP) — Ambulances hijacked. Delayed cancer treatment. Offline electronic health records. These are just some of the ripple effects of an apparent cyberattack on a major nonprofit healthcare system that has disrupted operations across the United States.
Although CommonSpirit Health confirmed it encountered a “computer security issue” earlier this week, the company remained silent when pressed for more details on the scope of the attack. The healthcare giant has 140 hospitals in 21 states. As of Thursday, it’s still unclear how many of its 1,000 care sites that serve 20 million Americans have been affected.
Despite lingering questions, the incident underscores growing concerns surrounding ransomware attacks on healthcare systems with patient care at stake.
In Tacoma, Wash., Mark Kellogg told KING-TV that his wife, Kathy, was due to have a cancerous tumor on her tongue removed on Monday, but the procedure was postponed for days due to the cyberattack. Virginia Mason Franciscan Health’s parent company is CommonSpirit Health.
“Everything we do today is on a computer, and without it you go back to the Stone Age writing on a tablet,” Kellogg said.
In Iowa, the Des Moines Register reported that the incident forced the diversion of five ambulances from the emergency department at MercyOne Medical Center in the city to other medical facilities.
The incident forced MercyOne and VMFH to take certain IT systems, including patient electronic health records, offline as a precaution.
Brett Callow, threat analyst at cybersecurity provider Emsisoft, said the incident could be “the largest attack on the healthcare sector to date” if all hospitals and other CommonSpirit facilities were affected. .
Emsisoft has tracked at least 15 healthcare systems in the United States hit by ransomware this year, which run more than 60 hospitals. Callow said data was stolen in 12 of the 15 instances, adding that these were almost certainly underestimated because some ransomware attacks are not widely reported.
Callow said one of the biggest known healthcare attacks happened in September 2020 when a ransomware attack hit all 250 healthcare facilities owned by Universal Health Services.
CommonSpirit’s incident could exceed that, depending on how many of its facilities are affected. This could mean that the company faces significant financial costs to overcome the incident and recover.
Callow cited as an example the loss of more than $100 million reported by Scripps Health related to a 2021 ransomware attack that affected its five hospitals in California.
Asked Thursday for more information about the incident and its effects, a spokesperson for CommonSpirit said the health system could not provide further details.
The most worrying effect of any substantial attack on health care is on patients, Callow said.
“I have seen reports that at least one of the affected hospitals has had to divert ambulances to other facilities and this delay in getting the care people need could obviously pose a risk to the lives of patients” , did he declare. “Beyond that, these incidents can have a long-term impact on patient outcomes, delaying treatments, for example.”
In 2020, the FBI and other federal agencies warned they had credible information that cybercriminals could unleash a wave of data extortion attempts against US hospitals and healthcare providers.
Indeed, criminals using ransomware are stealing more and more data from their targets before encrypting the networks, using them for extortion purposes. They often seed the malware weeks before activating it, waiting for the times when they think they can extract the highest payouts.
Healthcare is classified by the US government as one of 16 critical infrastructure sectors Healthcare providers are considered ripe targets for hackers.
If patient data is accessed, healthcare providers are required by law to notify the Department of Health and Human Services.
#Hospital #chain #attack #among #lingering #cybersecurity #concerns