A notification from the Department of Health and Human Services to the healthcare sector confirms the cyberattack on CommonSpirit Health and widespread IT outages were brought on by a ransomware attack.
It’s currently unclear just how many of the more than 1,000 care sites and 140 hospitals operated by CommonSpirit across 21 states have been impacted. But the incident has led to appointment cancellations and care delays, as providers leverage paper processes and medical records at the impacted facilities.
“It is essential that sector stakeholders maintain awareness of threats and take actions to secure their technology systems,” HHS officials warned. Providers are being directed to the Cybersecurity and Infrastructure Security Agency’s Shields Up webpage for more information.
The impact of the incident has stretched to at least a dozen hospitals, nearly as expansive as the 2020 ransomware attack on Universal Health Services, one of the largest U.S. health systems. All 400 U.S. care sites were brought offline for three weeks, however electronic health records systems were not directly impacted by the attack. Overall, the outages cost UHS $67 million in lost revenue and recovery efforts.
As previously reported, the CommonSpirit outages began on or around Oct. 3, spurring electronic health record downtime procedures at CommonHealth subsidiaries and hospitals across the country. Ambulances were diverted at several hospitals across the country immediately following the attack. But it’s unclear whether emergency care diversion is still in place.
“For an organization the size of CommonSpirit to be hit, when care delivery is already stretched to the max in so many parts of our country, puts numerous health providers and the entire ecosystem of care in the red zone, endangering all of us,” Carter Groome, CEO of First Health Advisory told SC Media.
The impact of the "incident is still being assessed, and the public may not ever get a full account of what is happening right now,” Groome added. That doesn’t mean the organization isn’t “putting every bit of expertise and capability into mitigating the immediate risk to patients, as care diversion, care delay, access to critical decision data, operational uptime, and even patient portal access must be top of mind for the highest levels of leadership.”
While some media outlets have raised concerns about the possible impact on data, the real risk of these outages is to patient safety and care morbidities. A certain subset of patients have seen appointments and planned procedures canceled until the outages have ended, including those tied to cancer treatments.
Multiple Reddit threads contain unconfirmed reports from users claiming to be nurses across the country expressing concerns with the shutdown.
One patient from Seattle claimed that they’re dealing with a tumor from home and unable to get the medications needed for treatment, as the hospital was not able to use their computer systems to confirm the patient’s identity. Instead, providers are requesting paper prescriptions. Other users appear to confirm local media coverage that surgeries and other medical care procedures are being delayed, including provider appointments.
“Patients suffer when their care is delayed, disrupted, and otherwise diverted,” and the potential consequences of these delays “are indisputable,” said Groome. Indeed “a breach to one organization is a breach to our entire critical infrastructure of healthcare.”
“Without a doubt, morbidity is increasing because of cyberattacks, and we simply cannot just go back to business as usual. I’m beyond frustrated,” he added. “This year after year, neverending scourge that feels like groundhog day has got to abate. We, as a nation, can do something about this, and it’s about time we get more support from Washington.”
It’s unclear what ransomware variant was used in the attack or the group behind it. The HHS alert notes that “CommonSpirit is coordinating with the law enforcement to understand the full extent of the impact and communicating with the HHS to maintain awareness of what, if any, impact there may be to patient care.”
In response to the attack, HHS is urging all provider organizations to review freely available cybersecurity resources against their current controls, given the continued targeting of the healthcare industry by malicious actors.