Austin's Ascension Seton Medical Center is among the hospitals affected by a nationwide cybersecurity breach of Ascension technology systems. This breach has had a profound impact on the healthcare system, causing disruptions that extend far beyond Austin. As hospital staff are forced to revert to manual processes, the efficiency and safety of patient care are compromised.
Ascension, one of the largest health systems in the United States, operates approximately 140 hospitals across 19 states and the District of Columbia. The cybersecurity incident, which was first detected on Wednesday, May 8, has affected multiple technology network systems used by Ascension, including electronic health records and systems used for ordering tests, procedures, and medications.
As we reported recently, Black Basta ransomware, most likely responsible for this attack has quickly emerged as a formidable threat since it was first detected in April 2022. This group, which operates as ransomware-as-a-service (RaaS), targets a wide range of sectors, including critical infrastructures such as healthcare. The ransomware employs double-extortion tactics, which involve stealing sensitive data before encrypting the victim's files and then threatening to publish the data unless a ransom is paid. It burst on the scene in 2022 with dozens of breaches and soon thereafter, over 40% of breaches were in the U.S. and almost 16% in Australia according to Trend Micro.
Unfortunately, it took two years for America's cyberdefence agency, CISA, in partnership with the FBI, the Department of Health and Human Services (HHS), and the Multi-State Information Sharing and Analysis Center (MS-ISAC) to release a joint Cybersecurity Advisory (CSA) #StopRansomware: Black Basta to provide cybersecurity defenders tactics, techniques, and procedures (TTPs) and indicators of compromise (IOCs) used by known Black Basta ransomware affiliates and identified through FBI investigations and third-party reporting.
The Immediate Impact on Hospital Operations
A spokesperson for Ascension described the situation as "unusual activity" detected across their network. As the breach progressed, it became clear that essential systems were compromised, leading to significant operational disruptions. Phone capabilities were affected, and patients found themselves unable to access portals used to view medical records or contact their doctors.
In response, hospital staff had to shift to "manual and paper-based" processes. An Ascension spokesperson emphasized that their care teams are trained for such disruptions, stating, "Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible."
However, the reality on the ground paints a different picture. Kris Fuentes, a neonatal intensive care unit worker at Ascension Seton Medical Center in Austin, expressed her frustration: "It's kind of like we went back 20 years, but not even with the tools we had then. Our workflow has just been really unorganized, chaotic, and at times, scary." Fuentes highlighted the inefficiencies introduced by manual processes, noting that medication orders, lab tests, and imaging requests are now handwritten and manually distributed, increasing the likelihood of errors and delays.
Delays and Errors in Patient Care
The manual processes have significantly slowed down hospital operations. Fuentes pointed out that "medications are taking longer to get to patients, lab results are taking longer to get back." These delays can have serious implications for patient care, especially when timely lab results are crucial for determining treatment plans.
Despite the best efforts of hospital staff, the system's inability to function normally has led to widespread issues. As of Tuesday following the attack, Ascension had no timeline for resolving the issues and continued to work with cybersecurity experts to investigate and restore affected systems. The FBI and Cybersecurity and Infrastructure Security Agency are also involved in the investigation.
Broader Implications and Responses
The cyberattack has led to emergency patients being triaged to different hospitals, postponement of non-emergent appointments and procedures, and some Ascension pharmacies ceasing operations. Patients have been asked to bring prescription bottles or numbers to facilitate medication orders, and those enrolled in Ascension health insurance plans must mail in monthly payments while the electronic payment system is down.
Cybersecurity breaches in American healthcare systems have been on the rise. A 2023 study from the University of Minnesota found that ransomware attacks more than doubled from 2016 to 2021, compromising the private health information of nearly 42 million people. The Ascension breach follows a major ransomware attack on Change Healthcare in February, which exposed millions of Americans' health data and caused significant delays in processing healthcare claims and prescriptions.
Personal Stories from Affected Individuals
Nicole Dye, a Middle Tennessee mother, faced a tough decision about delivering her baby at an Ascension hospital amid the cybersecurity crisis. Despite concerns about billing, insurance, and the overall care process, she decided to proceed with her planned C-section at Ascension Saint Thomas Midtown after consulting her OBGYN and hearing positive experiences from others who delivered during the cyberattack. Dye's story underscores the anxiety and uncertainty patients face during such incidents.
In Michigan, Ascension employees, including doctors and nurses, reported dangerous conditions due to the cyberattack. A nurse from Ascension St. John Hospital in Detroit described the situation as "so, so dangerous," with medical orders being written on paper and faxed, leading to hours-long delays even for critically ill patients. This nurse expressed concern about potential errors due to duplicate patient record numbers and the lack of accurate tracking for patient medications and tests.
A System Under Strain
Ascension has been working with Mandiant, a cybersecurity consulting company, to investigate the breach and determine whether any sensitive data was compromised. In the meantime, Ascension has urged patients to bring detailed notes on their symptoms, health history, and medications to appointments and tests. They also advised patients to seek alternative pharmacies and to be prepared for delays in diagnostic imaging and testing.
The cyberattack has not only disrupted hospital operations but also caused significant distress for patients and staff. Chris Short, a disabled veteran from Commerce Township, had to ration his medications and cancel a work trip to sort out prescription transfers. He described the situation as a "real dumpster fire" and expressed concern about his ongoing care at Ascension facilities.
Conclusion
The Ascension cyberattack highlights the critical need for robust cybersecurity measures in healthcare systems. As hospitals revert to manual processes, the efficiency and safety of patient care are compromised, leading to delays and errors that can have serious implications. The incident has underscored the importance of preparedness and resilience in the face of cyber threats.
While Ascension works to restore its systems and ensure patient safety, the broader healthcare community must take heed. Investing in advanced cybersecurity measures and ensuring that contingency plans are in place can help mitigate the impact of such attacks in the future. The Ascension breach serves as a stark reminder of the vulnerabilities in our healthcare infrastructure and the urgent need to address them to protect patients and maintain the integrity of medical care.
Read more from NPR, WKRN, Detroit Free Press and CBS News.
If you are looking for an honest assessment of your cybersecurity posture – trust the cybersecurity and business continuity experts at Apex Technology Services.
---
Aside from his role as CEO of Apex Technology Services, Rich Tehrani is CEO of RT Advisors and a Registered Representative (investment banker) with and offering securities through Four Points Capital Partners LLC (Four Points) (Member FINRA/SIPC). RT Advisors is not owned by Four Points.
The above is not an endorsement or recommendation to buy/sell any security or sector mentioned. No companies mentioned above are current or past clients of RT Advisors.