Ascension hospitals make progress in ransomware attack recovery

UPDATE 6/20/2024 -- As of June 14, Ascension had restored EHR access across the organization. Patients also now have access to patient portals, although staff is working to update the portal with information collected during the downtime. Ascension warned patients that responses to portal messages may be delayed due to high volume. 

---

5/28/2024 -- In its latest update, Ascension informed patients that it continues to "work around the clock" to restore operations across its network. 

"We are hopeful that after the weekend, our patients and clinicians will see progress across our points of care," a May 24 notice stated. "Many of our vendors and partners have also started the process of reconnecting to our network and resuming services with Ascension, which should help to accelerate our overall recovery."

All Ascension facilities remain open with varying disruptions across care sites. Ascension has maintained webpages with state-by-state updates. There is currently no defined timeline for full system restoration. 

---

5/16/2024 -- In a May 15 update, Ascension stated that it continues to make progress toward restoration with the help of Mandiant forensic experts and additional assistance from Palo Alto Networks Unit 42 and CYPFER.

Ascension also launched state-specific webpages to inform patients of regional disruptions. For example, at certain Ascension Saint Thomas hospitals in Tennessee, ambulance services are being diverted for specific medical cases.

Meanwhile, at Ascension St. Agnes Hospital and care sites across Maryland, it does not appear that ambulances are being diverted, but patients were told to expect longer wait times due to the transition to manual documentation systems. The impact of the cyberattack has had varying impacts on hospitals state-by-state.

“As we continue to progress in these recovery and restoration efforts, we want to express a sincere thank you to our patients and community for your patience and support through this difficult time,” Ascension stated.

---

5/13/2024 -- Ascension is diverting emergency medical services at several hospitals as it works to address a ransomware attack. As previously reported, Ascension discovered a cybersecurity incident on May 8 that impacted some of its network systems, including its EHR system. Ascension operates more than 140 hospitals across 19 U.S. states.

In its most recent update on the incident, an Ascension spokesperson said that its hospitals remain open and are continuing to provide care. However, emergency services at several hospitals are being diverted “in order to ensure emergency cases are triaged immediately.”

Additionally, Ascension has paused some non-emergency elective procedures, appointments, and tests while it continues to work through the incident. Providers have reverted to several downtime procedures as the organization’s EHR systems remain unavailable, including moving to paper records and using manual processes for dispensing medication, contacting patients, and ordering diagnostic tests.

Ascension does not yet have a timeline for restoring its systems but said that it expects both the restoration and investigation processes to take time to complete.

Upon discovery, Ascension engaged Mandiant to assist in the investigation process and alerted its business partners of the incident. Ascension is also working with the FBI, HHS, the Cybersecurity and Infrastructure Security Agency (CISA), and the Health Information Sharing and Analysis Center (H-ISAC).

“Kudos to Ascension for immediately disconnecting the infected portions of their network and we have to hope they are able to resume normal operations quickly,” said Dan Lattimer, vice president at Semperis, in reaction to Ascension’s initial notice. 

“Ascension’s transparency is noble and notifying their business partners about the breach will enable any company in their supply chain to assess its own risk. We don’t yet know why Ascension was targeted, but the biggest reason hackers target hospitals are to get paid. It’s that simple.”

Lattimer emphasized the importance of identifying single points of failure and maintaining visibility into networks to quickly address anomalies.

In the wake of the Change Healthcare cyberattack, critical infrastructure is at the forefront of cyber conversations across the public and private sectors. At a May 8 RSA Conference session in San Francisco, David Luber, director of cybersecurity at the National Security Agency (NSA), emphasized his concerns about increasing attacks against critical infrastructure.

“I think the area of most concern for me is when cyber can turn to physical,” Luber said.

“When the outcome of a cyberattack, especially in critical infrastructure, turns to some sort of physical impact, whether it's in some of the smaller scale activities, water overflowing, but then on amore broad scale, you can just use your imagination on where some of those physical manifestations and impacts can occur.”

Critical infrastructure security remains a top priority for various federal agencies, spearheaded by CISA’s efforts to protect these sectors.