Fraud Management & Cybercrime , Healthcare , Incident & Breach Response

Impact of Ascension's Cyberattack IT Outage Varies by Region

In Some Regions, ER Patients Still Diverted, Pharmacies Can't Fill Prescriptions
Impact of Ascension's Cyberattack IT Outage Varies by Region
Ascension hospitals across several states - including St. John in Oklahoma - are feeling the impact of IT outages resulting from last week's cyberattack on the organization. (Image: Ascension)

U.S. hospital chain Ascension is making progress recovering from last week's ransomware attack, but it will take time to restore all its affected IT services, including electronic health records and systems supporting its pharmacy operations.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

The severity of IT disruption varies across regions served by the Catholic chain, which operates 140 hospitals and 40 senior care facilities in 19 states plus the District of Columbia.

Ascension in a statement posted late Monday said its hospitals remain open, although several hospitals still can't accept emergency patients.

Some elective procedures, tests and appointments are being "temporarily paused" as Ascension continues to work on bringing its systems back online. The chain continues to rely on manual processes for functions such as "dispensing medication, inputting health medical records, ordering and completion of diagnostic tests and procedures, contacting patients and sharing information."

Ascension said it does not yet have a timeline for full recovery. "We expect this process will take time to complete." The hospital is investigating whether hackers compromised personal health information.

Ascension already faces at least two proposed federal class action lawsuits filed over the last few days by patients who allege that their personal health information was compromised in the Ascension attack, putting them at risk for identity theft crimes.

A source familiar with the Ascension investigation told Information Security Media Group on Monday that the Russian-speaking ransomware-as-a-service group Black Basta was behind the attack. Multiple U.S. government agencies and healthcare industry groups last Friday issued advisories about Black Basta threats facing the sector (see: Feds, Groups Warn Health Sector of Black Basta Threats).

Varying Impact

The effect of IT outages varies across regions. Ascension said its retail pharmacies in Maryland are functioning on a cash basis and that patients are being asked to provide their prescription number.

In Oklahoma, certain Ascension pharmacies are not operational. "We will work with patients to find an alternative pathway to get a fill at another pharmacy if ours is not an option," Ascension said.

In Wisconsin, no Ascension pharmacies are able to fill prescriptions.

A number of reasons could explain why the impact of the cyberattack's IT outage differs among Ascension facilities, some experts said.

It is common for IT operations across a multistate healthcare system to run on different networks, said Dave Bailey, vice president at security and privacy consultancy Clearwater.

"Segmenting or isolating by region, department or function enables more granular control of its network and limits an attacker's ability to gain a foothold, move laterally across the attack surface, find data, exfiltrate and ransom," he said.

St. Louis, Missouri-based Ascension's growth by mergers and acquisitions into one of the largest healthcare systems in the United States could be another factor.

"Mergers and acquisitions take time to integrate into their IT operations," said Wendell Bobst, partner and principal consultant at tw-Security. "There are limits to the size of an Epic electronic health record database. Many multistate Epic systems have different databases by region," he said.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.