On May 9, Ascension, the largest nonprofit and Catholic health system in the United States, announced that it fell victim to a major cyber attack. This occurs in the wake of the recent massive Change Healthcare cyber incident. But the attack on Ascension is different since it directly impacts clinical operations across multiple facilities.
After detecting suspicious activity on its network systems, Ascension quickly initiated remediation efforts and advised business associates to temporarily disconnect from its systems. Ascension also engaged Google-owned cybersecurity firm Mandiant to assist with the investigation and remediation efforts. Additionally, the healthcare nonprofit notified all the appropriate authorities about the suspected cyber attack.
Let’s dig into the details about what is known now about the Ascension cyber incident. We’ll also evaluate the potential future impact of the event on the healthcare sector.
What hospital systems were affected by the Ascension cyber attack?
As per Ascension’s cybersecurity event update page, systems that were made unavailable include the organization’s:
- Electronic health records system
- MyChart (which enables patients to view their medical records and communicate with their providers)
- Some phone systems
- Various systems utilized to order certain tests, procedures, and medications
Ascension states that, “Out of an abundance of caution, however, some non-emergent elective procedures, tests and appointments have been temporarily paused while we work to bring systems back online.” Furthermore, due to downtime procedures, several of Ascension’s hospitals have been placed on diversion for emergency medical services in order to ensure emergency cases are triaged immediately.
Ascension has 142 hospitals, 40 senior living facilities, and more than 2,600 care sites in 19 states and the District of Columbia. While Ascension has not revealed how many of its facilities have been affected, there have been reports indicating care centers in multiple states are experiencing disruption. Employees at those hospitals have reported that charting, scheduling, and prescription writing systems have been affected.
Who was responsible for the Ascension cyber attack?
CNN reported that four sources briefed on the investigation indicated that Ascension suffered a ransomware attack of the Black Basta variant.
As per the HHS, the Russian-speaking cyber gang Black Basta was initially spotted in early 2022 and is known for its double extortion style of attack. In ransomware double extortion attacks cyber criminals steal sensitive data from a victim and then encrypt it. The intruders then demand two ransoms: one to decrypt the data and another to prevent the stolen data from being leaked.
Black Basta targeted at least 20 victims in its first two weeks of operation indicating the group is highly advanced with a steady source of initial access. Its level of sophistication and the gang’s reluctance to advertise on Dark Web forums, suggest Black Basta may be a rebrand of the Russian-speaking ransomware-as-a-service (RaaS) threat group Conti. Or the group may be linked to other Russian-speaking cyber criminal organizations.
On Friday May 10, the Health Information Sharing and Analysis Center (a cyber threat sharing group for large health care providers worldwide) published an advisory warning that hackers using Black Basta ransomware have “recently accelerated attacks against the healthcare sector.” At least two health care organizations in Europe and the US in the last month have “suffered severe operational disruptions” due to Black Basta ransomware, the advisory said, without naming the health care organizations.
Black Basta operators are known to use unique tactics, techniques, and procedures (TTPs) to gain entry, spread laterally, exfiltrate data, and drop ransomware. Black Basta ransomware is a cross-platform variant that is only executed with administrator privileges on both Windows and Linux systems. The ransomware hinders machine processes and ultimately makes desktop files unusable before sending a ransom note to a victim.
Previous Black Basta attacks suggest that they use stolen credentials to breach organizations’ systems. Initial access may also be acquired via malicious links in a phishing email. Unlike other cyber threat actors, Black Basta uses a variety of tools and remote access methods like Qakbot (aka QBot), SystemBC, Mimikatz, ColbaltStrike, and Rclone.
After gaining access, the group then executes a “name-and-shame” attack against victims. Using a Tor site, Basta News, the gang publicly lists victims’ names, descriptions, percentage of published data stolen, number of visits, and any other data exfiltration.
In the trenches of the Ascension cyber attack
The Detroit Free Press reported that Ascension employees noticed computer network problems around 7 a.m. on May 8, as per three workers who spoke on the condition of anonymity. “There was a security concern, so they shut down the system,” one physician said. “It’s affecting everything.”
Another Ascension Michigan doctor said: “We have no access to medical records, no access to labs, no access to radiology or X-rays, no ability to place orders. We have to write everything on paper. It’s like the 1980s or 1990s. You go to the X-ray room to look at the X-rays on film, you call the lab and they tell you what the results are over the phone. So it’s just much more cumbersome, but we do have training for these moments.”
“I just hope it doesn’t last very long because certainly patient care will be negatively impacted,” a physician said. “The data shows that during computer network downtime, your risk of an adverse event goes up.”
Potential patient harm from the breach
The Change Healthcare incident was unprecedented in the number of medical practices affected and the damage it caused across the industry. The costs of the Change Healthcare breach are expected to exceed $1 billion. However, Change Healthcare is mostly involved in billing, pre-authorization, and processing patient claims to third parties. Meanwhile, the Ascension attack directly influences patient care.
For example, Saint Francis Hospital in Wisconsin found itself in a state of disarray. “We had no idea who those patients were or when they were coming in or what their orders were for, because we had no access to any of that information,” said Gavin Rice who works in imaging at Saint Francis and is also a member of the Wisconsin Federation of Nurses and Health Professionals.
Surgical technician and president of WFNHP, Connie Smith said nurses can’t compare old and new studies to gauge if a patient’s condition has changed. This can be dangerous in certain emergency situations, like those with heart issues. “If you’re coming in in an emergency situation, they want to compare EKGs,” Smith said.
Rice and Smith said staff are having a hard time paging doctors, getting scans, and getting X-rays. Electronic patient notes are now limited to pen, paper, and fax machines causing a delay in vital communication.
In 2017 an investigation was done to systematically review studies reporting problems with information technology (IT) in health care and their effects on care delivery and patient outcomes. The study results showed that use errors and poor user interfaces interfered with the receipt of information and led to errors of commission when making decisions. Errors involving medications were also seen. Issues with system functionality, system access, system configuration, and software updates also delayed care. In 53% of cases reviewed, IT problems were linked to patient harm and death.
Fallout from the Ascension cyber incident
While it’s still too early to know, the full impact of the Ascension cyber attack will be significant. First and foremost is the concern for patient wellbeing since an incident of this magnitude may lead to adverse outcomes in patient care. If so, the resulting legal costs could also be Ambulances were diverted as a result of the attack, which strained the network’s ability to provide essential services. Ascension has relied on emergency backup procedures to manage patient care across the network’s extensive system of hospitals and senior living facilities.
If the Change Healthcare incident is any indicator, regulatory bodies are certainly following the events of the Ascension breach closely. On its event update page, Ascension states that they have notified the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the American Hospital Association (AHA). Ascension is also “sharing relevant threat intelligence with the Health Information Sharing and Analysis Center (H-ISAC) so that industry partners and peers can take steps to protect themselves from similar incidents.”
In response to the Change Healthcare breach, the Office for Civil Rights (OCR) at the Department of Health and Human Services decided to open a HIPAA compliance investigation. Only time will tell if a similar investigation will be opened against Ascension.
Ascension, HITRUST, and future compliance issues
This attack’s impact has highlighted the US healthcare infrastructure’s cybersecurity vulnerabilities, prompting major discussions about cybersecurity readiness and response strategies. HITRUST certification is designed to let regulators, customers, and stakeholders know they can trust the strength of a certified organization’s cybersecurity and data protection program. The HITRUST framework is considered to be the gold standard for compliance.
At least some components of Ascension, like its Neighborhood Resource program, are HIPAA-compliant and HITRUST-certified. Furthermore, Ascension is part of an advisory council working with HITRUST and Frist Cressey Ventures to create best practices for data security for startups developing digital health technologies.
As the fallout from the Ascension cyber attack continues, the overall impact remains to be seen. Will patient health be adversely affected? What will any investigations reveal? How will regulators react to the event? And will the healthcare provider be hit with sanctions? In response to the incident, federal agencies including the FBI and CISA have issued advisories and are closely coordinating with Ascension. These agencies have also issued broader warnings about the increasing threat of ransomware attacks on critical infrastructure, including healthcare.
The back-to-back Change Healthcare and Ascension cyber incidents are shaking the healthcare industry to its core. The sector will likely increase its reliance on certifications like HITRUST. Undoubtedly, proof of regulatory compliance will take on even more importance as attacks like this continue to surface.
Monthly Newsletter
Get the Latest on Compliance Operations.
