Ascension healthcare network disrupted by "cybersecurity incident," interrupting clinical operations
CHICAGO (CBS) -- The Ascension Healthcare Network announced Wednesday that its clinical operations have been disrupted by what it called a cybersecurity event.
In a news release, Ascension said it responded immediately after it discovered "unusual activity on select technology network systems" on Wednesday, and access to some systems has been interrupted with remediation efforts in progress.
"Our care teams are trained for these kinds of disruptions and have initiated procedures to ensure patient care delivery continues to be safe and as minimally impacted as possible," Ascension said in a news release. "There has been a disruption to clinical operations, and we continue to assess the impact and duration of the disruption."
The disruption has left some systems unavailable at Ascension, including the MyChart electronic health records system, some phone systems, and some systems used to order tests, procedures, and medications. Some elective and non-emergency procedures, tests, and appointments also have been put on hold while Ascension works to get its systems back online.
Ascension also said several hospitals are diverting emergency medical services to other area hospitals.
"We have implemented established protocols and procedures to address these particular system disruptions in order to continue to provide safe care to patients," an Ascension spokesperson said in a news release. "Our teams are working directly with any patient whose appointment or procedure will need to be rescheduled. We understand the frustration this may cause and sincerely regret any inconvenience to our patients."
There remained many unanswered questions about the hospital cyberattack. Asked if the incident was a ransomware attack – meaning hackers asked for money in exchange for restoring their systems – Ascension only called it a cyberattack.
Cybersecurity firm brought in to investigate
Ascension has 140 hospitals around the country – including 14 in the Chicago area. The hospitals see millions of visitors each year. It is not clear how many patients were impacted by the breach.
"Hospitals are some of the most connected places in the world," said Paul Keener, a cybersecurity strategist at GuidePoint Security.
Ascension said it has brought in the cybersecurity firm Mandiant Solutions to help investigate and has notified authorities.
"Together, we are working to fully investigate what information, if any, may have been affected by the situation," Ascension said. "Should we determine that any sensitive information was affected, we will notify and support those individuals in accordance with all relevant regulatory and legal guidelines."
Ascension did advise that business partners temporarily suspend their connection to the Ascension system.
On Thursday, an Ascension spokesperson said hospitals in Illinois didn't have any patient care service interruptions, but IT service has seen some interruptions.
Ascension is one of the nation's leading nonprofit and Catholic health systems.
This follows a ransomware attack on Change Healthcare — a subsidiary of healthcare giant UnitedHealth Group — which has compromised sensitive patient data and created billing headaches at pharmacies, hospitals, and practices nationwide, threatening to put some health providers out of business.
In January, Lurie Children's Hospital in Chicago was also hit with a high-profile cyberattack. The hospital had to take its phone, email, and other systems offline as a result – and weeks of disruptions to regular operations ensued.
Healthcare providers across the U.S. have suffered from a spike in ransomware attacks in recent years. Threat intelligence company Cyble reports 105 ransomware attacks on the health care sector globally since Feb. 1, of which 77 were in the United States.
Last month, HHS Secretary Xavier Becerra told CBS News that the consolidation of healthcare networks nationwide risks "capacity com[ing] at the expense of real competition," adding, "The consolidation occurs to such an extent that there are only a few players and when one or two of those big players goes down, so goes the industry. We can't afford to have that."
Ascension has not said whether its cyberattack was a ransomware attack.
Cyberattacks are "about money," expert says
The speedy public response, Keener said, sets Ascension's reaction apart from other hospitals that have experienced something similar, like the one at Lurie's that took weeks to resolve and gather any complete information.
He also said the announcement from Ascension is a good thing.
"They want people to know that they understand that there's an issue going on that they've got, that they're on top of it, and that they're responded appropriately," said Keener.
Keener said Ascension is likely now doing damage control.
"They're investigating and trying to figure out how far – we call it a blast radius," said Keener said, "how big of an impact it is, what's affected, and how to stop it from spreading any further."
Keener also explained the ramifications of bringing on a cybersecurity solutions firm, as Ascension has.
"Mandiant is an incident response company," said Keener, "and what that means is when things happen, and what you're looking for is someone, you know, who is not associated; who is not part of your team, come in and look at it from the outside to make sure that you didn't miss anything."
It is a sure sign, experts said, that the hospital network believes something bad has happened.
"When it comes to a cyberattack, this is about money. It's not personal attack against the hospital. It's not a personal attack against the business. It is about money," Keener said, "and so where they can leverage that data, they're pulling to go and maybe create false identities, apply for credit cards."
Keener also explained what it meant that clinical operations were disrupted.
"When an attacker goes after clinical operations, that usually means that they're not able to provide emergency room services, outpatient type of - someone coming in and doing appointments, those types of things," said Keener.
Keener added that, should any patients' information be compromised, they would work to notify and support those at risk.
In the meantime, Keener had some tips for clients.
"Monitor your credit regularly – especially if you're notified by an organization that you're part of an attack," said Keener. "Make sure you lock your credit so people can't take out loans without it being unlocked."
Among the hospitals Ascension operates in the Chicago area are Ascension Holy Family in Des Plaines, Ascension Alexian Brothers Medical Center and Behavioral Health Hospital in Elk Grove Village, Ascension St. Alexius in Hoffman Estates, Ascension St. Mary and St. Elizabeth in West Town, Ascension St. Joseph in East Lakeview, Ascension St. Francis in Evanston, and Ascension Resurrection in Norwood Park.
The disruption was also affecting hospitals in Michigan.
These hospitals had been part of the AMITA partnership between Ascension and AdventHealth before the partnership split up two years ago.
CBS 2 reached out to Ascension to see if they would sit down and answer questions. The health care network did not respond to CBS 2's email.