Ascension Healthcare Ransomware Attack: Impact and Implications

In May, Ascension, a major health system with 140 hospitals and numerous assisted living facilities, experienced a significant ransomware attack that led to system-wide disruptions. The cyberattack forced staff to revert to manual processes, resulting in medical errors, delayed or lost lab results, and the diversion of emergency services to other hospitals. The attack compromised the data of nearly 5.6 million individuals.

The cyberattack locked providers out of systems that track and coordinate nearly every aspect of patient care, including electronic health records and systems used to order certain tests, procedures, and medications. The disruption was so extensive that some clinicians described harrowing lapses in patient care, including medication errors and an absence of routine safety checks. In one instance, a nurse nearly administered the wrong dose of a narcotic to a baby due to confusing paperwork. Another nurse reported nearly administering the wrong medication to a critically ill patient because they couldn't scan it as they normally would. These incidents highlight the potential for harm to patients when healthcare systems are compromised by cyber threats.

Following the attack, Ascension successfully restored its systems and clinical functions. Although patient data was involved, there is no evidence that data was taken from Electronic Health Records (EHR) and other clinical systems, where full patient records are securely stored. As of December 19, Ascension has begun notifying individuals whose personal information may have been stolen and is offering free credit monitoring and identity protection services.

Examples of the Impact on Patient Care:

• Clinicians reported delayed or lost lab results, medication errors, and the absence of routine safety checks.
• "Clinicians working for hospitals in three states described harrowing lapses, including delayed or lost lab results, medication errors, and an absence of routine safety checks via technology to prevent potentially fatal mistakes."
• A NICU nurse nearly administered the wrong dose of a narcotic to a baby due to confusing paperwork: "Marvin Ruckle, who has worked as a NICU nurse at an Ascension hospital in Kansas, said problems caused by the cyberattack nearly led him to administer the wrong dose of a narcotic to a baby."
• An ICU nurse nearly administered the wrong medication to a critically ill patient because she couldn't scan it.
• A patient in Detroit received the wrong narcotic due to a paperwork mix-up and required ventilation.
• A woman with low blood sugar went into cardiac arrest and died after a four-hour delay in receiving lab results.

Ascension's Response:

In response to the ransomware attack that compromised the personal information of nearly 5.6 million individuals, Ascension is providing several services to help those affected. These include two years of credit and fraud monitoring, a $1 million insurance reimbursement policy, and managed ID theft recovery services through IDX. These services became effective starting December 19, 2024. Additionally, individuals can find more information about free credit monitoring services or enroll by visiting https://response.idx.us/ascension/ or calling (866) 724-3233 between 8:00 a.m. and 8:00 p.m.

Ascension also emphasizes that they have successfully restored their systems and clinical functions, ensuring clinicians can access medical records electronically and that routine aspects of care, such as appointment scheduling and prescription filling, are functioning properly. Despite disruptions caused by the cyberattack, Ascension maintains that they continue to provide quality care across the communities they serve. They also stated that their care teams were "trained for these kinds of disruptions".

Furthermore, Ascension is notifying individuals whose personal information may have been stolen through mailed letters and is offering complimentary credit monitoring and identity protection services. Even those who enrolled in credit monitoring through Ascension earlier in the year can enroll in a new credit monitoring identity protection service, which will begin on the date of enrollment and continue for two years.

Ransomware Attack Implications:

The ransomware attack on Ascension Health carries several potential implications:

• Financial Losses: The costs associated with responding to the incident, fixing the systems, covering legal fees, sending notifications, and offering credit monitoring could be substantial.
• Reputational Damage: The cyberattack could diminish patient confidence in Ascension. If patients lose trust in a healthcare provider's ability to protect their personal information, it could affect their willingness to seek care from that organization in the future.
• Legal and Regulatory Scrutiny: Following a data breach affecting millions of individuals, Ascension is likely to face investigations from regulatory bodies and potential lawsuits from affected individuals. The US Department of Health and Human Services has ranked the breach as the third-largest health care-related breach of this year.
• Changes to Cybersecurity Standards: In light of recent cyberattacks, including the one on Ascension, government agencies may introduce stricter cybersecurity regulations for the healthcare industry. The Biden administration has been pushing to bolster health care cybersecurity standards, but the specific new measures remain unclear. These measures may include improving email security, adding multifactor authentication, and instituting cybersecurity training and testing.

Broader Cybersecurity Context

The cyberattack on Ascension Health underscores the increasing vulnerability of the healthcare sector to cyberattacks. Hospitals have become prime targets for ransomware. According to a cybersecurity expert, hospitals have become the number one target because "they have terrible security and they’ll pay". In 2023, the health sector experienced the largest share of ransomware attacks among vital infrastructure sectors.

Despite the rising threat, there are currently no federal requirements for hospitals to prevent or prepare for cyberattacks. This lack of regulation leaves many healthcare systems vulnerable and ill-equipped to handle sophisticated cyber threats. The Biden administration has pushed to bolster health care cybersecurity standards, but it’s not clear which new measures will be required. The Centers for Medicare & Medicaid Services is expected to release new requirements for hospitals, but the scope and timing are unclear.

The American Hospital Association (AHA) argues that third-party "business associates" are often the source of cyber risk exposure, rather than hospitals themselves. The AHA stated that most large data breaches that hit hospitals in 2023 originated with third-party entities. Regardless of the source, the potential implications of these attacks are significant, including financial losses, reputational damage, legal and regulatory scrutiny, and changes to cybersecurity standards.

The Ascension cyberattack underscores the need for robust post-market surveillance in healthcare cybersecurity. Just as medical devices and pharmaceuticals undergo post-market surveillance to monitor their safety and effectiveness after release, healthcare IT systems require continuous monitoring and assessment to detect and mitigate evolving cyber threats. This includes:

• Ongoing Threat Monitoring: Continuously monitoring IT systems for suspicious activity and potential vulnerabilities.
• Regular Security Audits: Conducting regular security audits and penetration testing to identify weaknesses in the system.
• Incident Response Planning: Developing and testing incident response plans to effectively manage and contain cyberattacks.
• Vendor Risk Management: Implementing thorough risk management processes for third-party vendors and business associates to ensure they meet adequate security standards.
• Data Security Measures: Because stolen data can involve medical information (such as medical record number, date of service, types of lab tests, or procedure codes), healthcare organizations must ensure the security and privacy of patient data is maintained.
• Staff Training and Awareness: Ensuring healthcare staff are adequately trained on cybersecurity best practices and are aware of the risks associated with cyber threats.
• Regulatory Compliance: Staying up-to-date with evolving cybersecurity regulations and standards, and implementing necessary measures to comply.

By adopting a proactive and comprehensive approach to cybersecurity post-market surveillance, healthcare organizations can better protect patient safety, maintain public trust, and mitigate the potential damage from cyberattacks.

‍

‍