A crippling ransomware attack on the second-largest nonprofit health system in the United States demonstrates how many patients can be left in the dark when critical healthcare infrastructure fails.
The attack earlier this month on CommonSpirit Health, which operates 142 hospitals in 21 states, resulted in IT being locked down, surgeries being delayed, and widespread disruptions in patient care.
According to experts, it also left millions of patients waiting at least two weeks to learn if their personal information had been compromised.
"We don't know what was disrupted," Israel Barak, chief information security officer at Boston-based Cybereason, told Axios.
For instance, patients don't know what sort of potential disruptions this has caused to certain services or procedures and they have no idea the extent their personal information might have been stolen. As consumers of these services we don't have a way to control our destiny or manage our risk," Barak added.
According to the Washington Post, the latest attack occurs as the Biden administration considers how to strengthen minimum cybersecurity standards in critical infrastructure such as health care. In accordance with a recent report from Crowdstrike, there has been a nearly 50% increase in interactive intrusion campaigns this year, with some of the most notable increases targeting health institutions.
As per Fierce Healthcare, 45 million people will be affected by healthcare attacks in 2021, up from 34 million in 2020.
State of play:
Experts believe health-care systems remain particularly vulnerable to threats. According to Barak, they are highly complex, relying on vulnerable supply chains and connections with numerous small clinics and vendors. With lives at stake, hospitals stand to lose more if they do not pay up.
However, health systems have fewer incentives to prioritise cybersecurity, according to Grant Elliott, CEO of Arlington, Virginia-based risk management platform Ostendio.
"There is a distinct lack of enforcement within health care generally, and as a result, there isn't a huge amount of consequence to these organisations for failing to build an effective security programme," Elliott explained.
According to a 2020 study conducted by CybelAngel, more than 45 million X-rays, CT scans, and other medical images could be accessed on unprotected, unencrypted, and password-less servers.
What's next?
CommonSpirit confirmed in a statement Monday it is still working to bring systems back online.
"As previously shared, we took immediate steps to protect our systems, contain the incident, begin an investigation, and maintain continuity of care. It will take some time before we can restore full functionality and we continue work to bring our systems up as quickly and safely as we can," CommonSpirit said in an emailed statement.
They said they could not provide additional information because of an ongoing investigation. A page on their website said there was "no impact to clinic, patient care and associated systems at Dignity Health, Virginia Mason Medical Center, TriHealth or Centura Health facilities."
According to Elliott, there is no industry consensus on the best way to handle a ransomware attack, and while there are reporting requirements, it can also take health systems some time to fully determine what information has been compromised.
However, he stated that the problem with many federal health care regulations for hospitals when it comes to data breaches is that they are not specific enough.
"Especially when you have something like a ransomware breach," he said. "Is this particular breach, they've simply frozen the assets and the organization can no longer access information which is its own concern? Or has the third party actor actually gained access to that information and downloaded it and threatening to release that information?"
While the impact of ransomware attacks on patient safety is the primary concern, the speed and specificity with which hospitals communicate the threat to patients is also critical.
"As an industry, there's a lot more we can do to regulate how healthcare data is managed," Barak concluded.