Getty Images/iStockphoto

Ransomware Attack Has Varying Impacts Across CommonSpirit Facilities

CommonSpirit Health is still recovering from a ransomware attack that impacted multiple facilities across the health system.

CommonSpirit Health is still in the process of responding to and recovering from a cyberattack that began in early October and impacted multiple facilities within the health system.

The confirmed ransomware attack resulted in appointment cancellations and forced some facilities to take patient portals and EHR systems offline as a precautionary measure.

“We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process,” CommonSpirit Health said in its latest update.

Notably, the cyberattack has impacted different CommonSpirit Health facilities in different ways as the recovery process continues.

In 2019, CHI Health and Dignity Health merged to form CommonSpirit Health. CommonSpirit is one of the largest nonprofit healthcare systems in the US, with more than 1,000 care sites and 140 hospitals in 21 states. Some facilities remained unimpacted by the cyberattack, while others are still working to recover.

One impacted hospital, MercyOne Central Iowa, said that most of its hospital-based systems and payroll platform were back online in an October 21 update. At select Virginia Mason Franciscan Health locations, most patient portal functionalities have been restored, but online scheduling for impacted facilities remains unavailable.

CommonSpirit Health's notice specifically noted that there was no impact on systems at Dignity Health, Virginia Mason Medical Center, TriHealth, or Centura Health facilities.

Jon Moore, chief risk officer and SVP of consulting services at Clearwater told HealthITSecurity that the varying impacts of the cyberattack on CommonSpirit’s facilities are likely due to several factors.

“CommonSpirit Health has grown through acquisition and, as a result, likely has a diverse portfolio of systems. Not all facilities likely use the same systems, and therefore, only those using the impacted systems are having issues,” Moore noted.

“Also, the network architecture and security tools may have limited the spread of the ransomware to only portions of CommonSpirit Health's network. The security team may have also identified and reacted in ways to contain the attack.”

Mitigating Healthcare Cybersecurity Risks

It is too soon to tell the extent of the ransomware attack, but any healthcare cyberattack carries concerns about data privacy and patient safety.

CommonSpirit Health’s notice said that “patients continue to receive the highest quality of care” throughout the recovery process.

Ransomware attacks are still impacting the healthcare sector at high rates, regardless of size. Of all critical infrastructure sectors, the healthcare sector faced the most ransomware attacks in 2021, the Federal Bureau of Investigation’s (FBI) 2021 Internet Crime Report revealed. 

It doesn't matter how large or sophisticated an organization you are, there continues to be a risk that you will be victimized by ransomware attacks,” Moore said.

Moore suggested that healthcare organizations focus on risk management and incident preparedness. HIPAA requires covered entities to implement an incident response plan, but practicing the plan regularly is nearly as crucial as having one.

Moore recommended conducting business impact assessments, preparing disaster recovery plans, and implementing an incident response playbook that is regularly updated with lessons learned.

The first step is understanding what systems are the most crucial to delivering patient care.

“Once the organization knows what systems are critical, it can make better-informed decisions around the appropriate level of investment to secure these systems,” Moore explained.

“Next, the organization should prepare its staff for how they will function if the critical systems go offline.”

Moore stressed the importance of investing in cybersecurity and enhancing efforts to manage risk across the sector.

Next Steps

Dig Deeper on Healthcare data breaches