CommonSpirit takes IT systems offline amid cybersecurity incident
One of the nation’s largest health systems is experiencing a cybersecurity issue that has forced several of its facilities to shut down their EHR systems. Cybersecurity experts say the incident serves as an important reminder that healthcare providers remain a prime target for hackers.
CommonSpirit Health, a nonprofit health system with headquarters in Chicago, posted a statement on Tuesday confirming that “an IT security issue” has been impacting some of its facilities. The health system operates 140 hospitals and more than 1,000 care sites across 21 states, according to its website.
In the statement, CommonSpirit confirmed it has taken some of its IT systems offline, including certain facilities’ EHRs.
“Our facilities are following existing protocols for system outages and taking steps to minimize the disruption,” the statement read. “We take our responsibility to ensure the security of our IT systems very seriously. As a result of this issue, we have rescheduled some patient appointments. Patients will be contacted directly by their provider and/or care facility if their appointment is impacted.”
CommonSpirit has not confirmed the specific nature of the security issue, nor whether patient data was compromised. The health system did respond to MedCity’s questions in time for this article’s publication.
The issue has forced EHR systems offline in at least three separate regions, according to local news reports.
CommonSpirit’s cybersecurity issue does not stand in isolation. In the past 30 days alone, 22 healthcare providers across the country have been the victims of patient data breaches resulting from hacking incidents, according to HHS’ data breach reporting portal.
CommonSpirit is not the only large system to be targeted — in fact, size does not guarantee immunity from this problem. For example, Kaiser Permanente notified nearly 70,000 patients this summer about a data breach that may have exposed their personal information. And last month, Geisinger notified nearly 3,000 patients about a ransomware attack that compromised their personal information.
These attacks can be very expensive for health systems — take Maryland-based LifeBridge Health for example. The health system recently agreed to pay $9.5 million to settle a lawsuit over a 2018 data breach that affected about 530,000 patients’ personal data.
Healthcare providers often collect a vast amount of personal data that can be used for identity theft, which makes them “very inviting targets for groups that lack any ethics or morals,” Erich Kron, a security awareness advocate at cybersecurity software firm KnowBe4, said in an emailed statement.
Cyberattacks against providers are “especially abhorrent” because they can disrupt the ability to provide care to patients who may desperately need it, another cybersecurity expert pointed out. The expert — Chris Clements, vice president of solutions architecture at cybersecurity firm Cerberus Sentinel — said that the only way healthcare organizations can protect themselves is to commit to a “true culture of cybersecurity” with buy-in from the most prestigious members of the C-suite all the way down to each business and care delivery line.
Providers must conduct regular risk assessment and tabletop exercises in order to flag any technology dependencies that could affect the organization’s ability to operate, according to Clements. He also recommended organizations establish both preventative and remediation action plans to optimize organizational cybersecurity resilience.
Because most ransomware attacks begin with phishing emails, providers should also implement security awareness training and a simulated phishing program, Kron said.
Photo: traffic_analyzer, Getty Images
Gloss