CommonSpirit Health confirmed that some of its sites in 21 states were impacted by a ransomware attack, but few other details have been released weeks later. (Air Force)

Now into its third week of care disruptions, a new update from CommonSpirit Health confirms that only a portion of its 700 care sites and 142 hospitals in 21 states have been impacted by the ransomware attack and subsequent IT and network outages.

“There is no impact to clinic, patient care and associated systems at Dignity Health, Virginia Mason Medical Center, TriHealth or Centura Health facilities,” officials said in a statement. “Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees, and caregivers. Patient care remains our utmost priority.”

Patient safety has been “central to our decision-making,” CommonSpirit officials stated. The care team is continuing to “carry out our mission in a manner that is safe and effective to those we serve.”

Dignity Health is made up of 12 hospital or care facilities and 125 provider offices; TriHealth has 400 care sites and 39 hospitals; and Centura Health has 19 hospitals and what appears to be 488 provider offices. As such, it appears the bulk of the impact is concentrated in CHI Health facilities and Virginia Mason Franciscan Health, outside of VMMC.

It appears that the impact is much smaller than sensationalized reports note. However, as Carter Groome, First Health Advisory CEO recently explained: “Patients suffer when their care is delayed, disrupted, and otherwise diverted,” with “indisputable” consequences.

Even if just one hospital was hit, “a breach to one organization is a breach to our entire critical infrastructure of healthcare.”

To better understand what may be going on behind the scenes and possible reasons for communication gaps, SC Media tuned in to a Critical Insights webcast and spoke with Jon Moore, Clearwater’s chief risk officer and senior vice president of services and customer success.

“You want to be really careful throwing stones in glass houses,” Moore stressed. It’s truly the conundrum of the Health Insurance Portability and Accountability Act Security rule, where providers are victims of an attack launched by a nation-state or criminal actor, “which is not a trivial foe to be attacked by,” and then “we end up blaming the victim," he continued.

As a bystander, it’s easy to watch the attack unfurl and immediately cast blame, but nothing is necessarily clear yet and all finger-pointing stems from conjecture. Until the facts are revealed about the incident, it will be impossible to know if they took HIPAA-required measures, or were negligent.

Scant details amid attack fallout, but what does HIPAA require?

As previously reported by SC Media, the Department of Health and Human Services confirmed a ransomware attack struck the network of hospitals on or around Oct. 3, prompting the response team to take the electronic health record and other systems offline to prevent the spread, at CommonHealth subsidiaries and hospitals across the country. 

Until its latest notice, CommonSpirit had remained tight-lipped about the scope of the incident, which has caused outcry among nurses, patients, and even one security leader at an impacted hospital — all noting how the massive health system should be communicating its progress.

But, if CommonSpirit is in direct communication with HHS leaders and has been working with law enforcement on its investigation, have they done their due diligence?

“They're not being completely forthcoming yet, but they don't have to,” Fred Langston, Critical Insights’ founder and chief product officer, recently said during a webcast. But there’s likely a lot of negotiating going on at the moment, as the FBI and the insurance company are involved, in partnership with the team working to bring the systems back online to reduce the impact on hospitals that rely on CommonSpirit for their EHR.

Communication might also be stymied by the number of parties involved, as well as coordination with law enforcement, Moore explained. And it’s likely CommonSpirit’s cyber liability insurance carrier is also involved with its legal team. “There's a lot of other people weighing in on what information is being communicated, and to whom.” 

CommonSpirit is in “a bit of a challenging situation,” he added. The incident response group is probably being briefed regularly on the status, with a lot of information, including a lot of unknowns. The team is “probably being very careful to make sure what they say is factual.”

As Moore put it, if you've ever been in some of these crisis situations in organizations, some people take the approach of being “as open, truthful, and honest, as we can.” Other individuals may align with the ideology that sharing each step may create “more ammunition for people to poke at us.”

“It becomes more of marketing, political/legal conversation than anything else,” he added. The publicized information is likely sensitive to any possible class-action lawsuits that may come from the incident, as well as possible reporting obligations and any care disruptions that could impact their ability to safely provide care.

HIPAA outlines precise reporting guidelines as they relate to a security incident and whether there’s been a breach of protected health information. But that is not needed until 60 days later, and that timer does not start until the breach has been discovered. As the Department of Health and Human Services is in direct contact with CommonSpirit, they appear to be following regulations.

The nature of cyberattack recovery processes

As Moore notes, typically in these kinds of outages there’s a lot going on behind the scenes that can range from “chaos, to the execution of a well-laid plan.” It’s currently unclear where CommonSpirit is on that spectrum. Given its size, “we can speculate they're probably not in chaos, but probably not as efficient as they could be in the execution of the incident response plans they may or may not have in place.”

CommonSpirit is likely in the middle of a technical track, working to understand the nature of the attack, the variant used, the details of the attack itself, and its efforts to contain it, before moving to eradication. Moore explains they’re likely in the containment mode, actively shutting off systems to prevent the spread of the ransomware. Some systems may be down because of a direct infection, while others were likely turned off to prevent the spread of the infection.

Once they move past that stage, they’ll move into the “eradication mode,” which will depend, to a certain extent, on whether they've identified the variant of ransomware used by looking for those indicators within their systems and try to remove those, Moore explained.

However, “they need to be careful doing that because if they're on that parallel track, potentially negotiating with the attackers themselves, and begin eradicating things, and that can, to a certain extent, remove their ability to pay the ransom, because you've taken down the pieces that would facilitate that,” he added.

Hopefully, the provider previously conducted a business impact analysis that would have created “tier systems” that dictate the order of technical recovery based on the impact to necessary business processes, said Moore. As such, they may be steadily working through those tiers to get mission critical systems back online as soon as possible.

CommonSpirit could also be dealing with impacts to its backup systems or files, which could impact recovery, as well. But what’s clear is that they’re still working through these processes. The EHRs were not accessible, so while the responsibility may not fall on one particular entity’s shoulders, “as a hospital, if you still can't access your EHR, that's catastrophic,” Langston noted.

“Because right now, if you go to a hospital, and you had a chemo session scheduled, they're having to reschedule,” said Michael Hamilton, Critical Insights CISO. “There's no record now that says, here are the antibiotics I'm allergic to.”

A call to action for health system leadership

CommonSpirit is an “interesting juxtaposition of things,” the day before the cyberattack and IT outage was reported, the provider “posted a billion dollar operating loss, which is common in the health sector,” explained Hamilton.

“The health sector is on the ropes between its revenue down and margins down, and having to pay traveling nurses instead of staff nurses — hospitals are having a real hard time,” he continued. They posted an operating loss, and a day later, issued a $1.5 million bond. “I don't know if the event that's going on right now is going to impede their ability to raise funds because they certainly need to raise funds.”

However, CommonSpirit is a parent company of hundreds of care sites and hospitals, as well as a provider of a lot of shared services like EHRs, which means the full impact of the event could be far greater than expected.

What’s clear is that only a portion of CommonSpirit subsidiaries have been impacted, which indicates that only some care sites are sharing the IT and systems impacted by the ransomware attack. It could be that they were able to segment off their systems. As Moore noted, it’s the complexity of these disparate systems that may have reduced the impact, but it simultaneously increases the CommonSpirit footprint and likelihood of an unpatched vulnerability.

As theories and patient safety concerns, continue to be shared, “the bottom line is, you're out of your EHR,” said Langston. “Affixing blame is ultimately down the road when the law dogs get involved. But this is really about, does your chief medical officer understand what to do if there's a breach that isn't even yours, preventing you from giving care?”

“Moving to pencil and paper is viable, but you cannot handle the volume of clients, especially if we're in the middle of a pandemic, we're heading into the the flu season, and kids are back in school…all these things are gonna start impacting the volume of patients they can see. And if you slow down and pencil on paper, you're probably going to be diverting patients or canceling elective surgeries,” he added.