Critical Infrastructure Security, Ransomware

Ascension and Change Healthcare are not the news

Cyberattacks on healthcare

Many of Ascension’s 140 non-profit hospitals remain offline more than three weeks after a cyberattack. While officials said in a May 24 update that their security team has continued its restoration operations, there have been reports all over the country that many hospitals still have issues.

News outlets in Austin, Texas, say clinicians remain concerned over their ability to safely care for patients. At one Central Texas Ascension hospital, hospital workers describe three- to four-hour wait times for basic lab work that makes it difficult to determine the severity of illnesses for some patients. Others say mistakes are frequent, from the wrong orders for patients to even their personal and health information.

Patient care has continued across Ascension hospitals, but it’s the clinicians and patients who face the pressure – and concerns for safety.

It’s been only two months since threat actors took down UnitedHealth and Change Healthcare, and public officials and leaders from UnitedHealth are still determining the full impact on their business operations.

Today, the focus has shifted to Ascension, and what led to their downfall. Ascension has not yet determined the timeline for full recovery. But the average downtime in healthcare is well over four weeks.

Its electronic health records and systems supporting its pharmacy operations remain offline, and officials note that the severity of the service disruption varies by region. The May 24 notice shares some progress, but the clinician narratives around the Ascension outage are finally making it clear to the public just how harmful cyberattacks against healthcare providers are – something industry leaders have long warned against.

In other industries, operating under manual processes would not raise concerns around safety. But in healthcare, operating without technology means medication dispensing, accessing and recording patient medical information, or even performing diagnostics tests would have an impact on patients.

But these incidents don’t just impact the targeted hospital: just one year ago, researchers confirmed that cyberattacks have rippling impacts across the region as patients are diverted to neighboring hospitals that may not have been prepared for the influx of patients.

In 2021, Christian Dameff, an emergency room physician at USCD Health and renowned medical device security researcher summed up the risks: “Our ability to diagnose a patient is tied to the technology that we use every day as clinicians: we are so dependent. You can imagine during a large ransomware attack, wherein these technical systems are no longer available, that we can’t do our jobs as clinicians.”

So while the media and Congress investigate the data impacts of Change Healthcare and the overall costs (well over $1B), it’s imperative that everyone does not lose sight of the real impact: patient safety and the small and/or rural hospitals that are the hardest hit in all of these incidents.

Heightened targeting and limited resources

Ever since global law enforcement took down ransomware-as-a-service (RaaS) operators and the attackers announced that the gloves were off when it comes to leaving healthcare out of their business model, the sector has been under a clear and present danger of a major assault on their systems.

While RaaS operators are not technically seen as nation-state attackers, they are in fact sanctioned by nation-states owing to their ability to disrupt another country’s critical infrastructures. As such, the we need a national response.

Of course, our response to date has been weak. At best we are only reacting to attacks, calling in Mandiant and offering credit monitoring. At worst, we are only paying lip service to attacks through congressional inquiries and bully pulpit stump speeches.

Small providers, clinics, and hospitals are still facing financial difficulties from the Change Healthcare event, including whether and how to stay open. When clinics in rural areas close, patients have to travel greater distances for treatment, leading to delays in care and patient safety risks.

It’s clear the federal government’s plan to issue baseline cybersecurity requirements for hospitals comes at a critical time, considering the clear impact to all of healthcare. However, for these smaller entities, any unfunded mandates will not be effective without inducements to encourage providers of all sizes to meet those requirements.

These baseline requirements are about nothing less than the care and safety of every American. Although these measures will support the missive to "do no harm," many healthcare entities struggle with these basics.

A prime, unfortunate example of this, is that Ascension has one of the most well-resourced security teams in healthcare, and yet, attackers found a foothold and have disrupted operations and many of its hospitals. Without broader support from industry leaders to proactively support healthcare as a critical infrastructure entity, these attacks and their disruptions will continue to put all Americans at risk.

The public, federal and state government leaderships, industry leaders, and Americans must not lose sight of these incidents. We cannot continue with the idea that this is yesterday’s news cycle, nor can we continue to point fingers and debate on whether or not baseline measures are asking too much for healthcare leaders. That's beyond the point.

The current posture and routines are not working. We need leaders who are willing to step up and say “Enough is enough.” We need to codify the recommendations put forth by the Health Sector Coordinating Council and the Department of Health and Human Services’ Healthcare Industry Cybersecurity Practices (HICP) and fund the creation of a cyber defense perimeter for the nation’s healthcare critical infrastructure.

Because indeed, enough is enough.

Toby Gouker, chief security officer, First Health Advisory

Toby Gouker

The former Provost for the SANS Technology Institute, Toby Gouker brings a wide breadth of privacy and security expertise to First Health Advisory’s cyber health practice. Coupled with years of experience in the federal healthcare IT industry, his expertise sits at the nexus of cybersecurity, health policy, and healthcare risk management. With over 30 years of industry experience and 10 years in education, Gouker is both a scholar and practitioner, offering healthcare organizations guidance on business tools and techniques that help organizations protect IT and data assets.


Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.