CommonSpirit’s ‘IT security incident’ was likely cyberattack, security experts say
An “IT security incident” reported this week by CommonSpirit Health, one of the nation’s largest health systems, is likely a cyberattack, security experts said.
CommonSpirit announced on Tuesday that an unspecified security incident was affecting multiple regions and interrupting access to electronic health records. As a precautionary step, some systems were taken offline as a result of the incident, the system said.
When asked whether the incident was a ransomware attack, CommonSpirit spokesperson Chad Burns told Healthcare Dive on Wednesday via email that the system was unable to provide more details.
Burns didn't respond to an emailed request seeking more details about the incident by the time of publication.
Some of CommonSpirit’s facilities in Chattanooga, Tennessee, moved certain systems offline including electronic health records, according to a statement from CHI Memorial, which operates two hospitals in the Chattanooga area.
Some patient procedures were rescheduled due to the incident, CHI Memorial said in the statement.
While few details have left some to speculate on the nature of security incident at Chicago-based CommonSpirit Health, moving systems offline and interrupting access to electronic health records is viewed as a defensive move, security experts told Healthcare Dive.
It’s possible that an “an attacker has access or is trying to get access to their system and they want to do whatever they can to prevent that. So what's the easiest way to do that? Unplug everything,” said Allie Mellen, senior analyst of security and risk at Forrester, a research and advisory firm for various industries.
Hospitals operated by CommonSpirit in Iowa, Washington, Texas and Nebraska also have been affected by the security issue after problems were first reported in Chattanooga.
Some hospitals were forced to revert to using paper charts and others diverted ambulances for a short period.
In Iowa, the Des Moines Register reported ambulances were diverted Monday for a short period of time from MercyOne Des Moines Medical Center, a CommonSpirit facility, to other emergency rooms.
In Washington, the Kitsap Sun reported the inability to access electronic health records has forced providers to revert to using paper charts.
If there is a potential that someone may have gained access to a system, it would be normal for a healthcare organization to revert back to paper mechanisms, or, in this case paper charting, said Rob Hughes, head of security and risk at RSA. RSA works with healthcare organizations to secure the identities of their users and manage access into their IT systems.
“My expectation is if you’re having a security event that it would relate to an attack,” he said. “You’d expect with a security event or with a security incident that someone was able to do something they shouldn't have or was somewhere they shouldn’t be.”
John Riggi, who advises the American Hospital Association on cybersecurity and risk and declined to comment directly on the incident at CommonSpirit Health, offered his input about cyberattacks.
“In general, when we have seen disruptive cyberattacks ... one of the defensive measures to keep the malware from spreading is to disconnect the affected technology, service, electronic medical record,” said Riggi, who is a former section chief at the FBI overseeing cyber issues.
Riggi added the defensive measures are like “quarantining an infected patient.”
The worst-case scenario is a ransomware attack, when attackers gain access and encrypt systems, demanding ransom from organizations in exchange for an encryption key.
“That’s a very common type of attack because private health information is a very expensive commodity,” Hughes said.
Hospitals collect a plethora of information from patients from social security numbers to medical diagnoses and addresses and it’s centralized in one location, Forrester’s Mellen said.
Attackers know hospitals will “feel pain from these types of attacks” because they need to operate every hour of every day, Mellen added.
Attackers in 2021 disrupted operations at Scripps Health for several weeks and stole patient information from about 150,000 patients, according to Fierce Healthcare. The ransomware attack cost Scripps Health $113 million in lost revenue and higher expenses, according to S&P Global Ratings.
CommonSpirit operates roughly 2,200 healthcare sites including 142 hospitals in 21 states, according to its latest annual report. More than 28 million outpatient visits were conducted at CommonSpirit Health facilities in fiscal year 2022.
The security incident is "very big deal" because of CommonSpirit’s many locations, according to Brett Callow, a threat analyst at security firm Emsisoft said.
Callow said a ransomware attack is the most likely explanation for such outages.
The FBI has not responded to repeated requests for comment. The HHS would not comment on whether CommonSpirit notified the agency of a breach.
Gloss