Hospital giant's IT still poorly a week after suspected ransomware infection
Insiders tell of struggle to access patient info, meds without working computers
Updated Computer systems are still down at CommonSpirit Health – America's second-largest nonprofit hospital network – more than a week after it was hit by a somewhat mystery cyberattack.
The US's largest Catholic healthcare provider remains very tight-lipped about the root cause of this digital breakdown, and when it expects its systems to come back online. At one point, and this may still be the case, access to electronic patient records and shift scheduling tools was cut off, treatments were delayed, and ambulances were diverted as a result of the snafu. Staff were reportedly forced to use pen and paper.
In a statement that seems to be shrinking over the course of the ongoing downtime, which reportedly began on or around October 3, the Chicago-headquartered organization said it identified "an IT issue" affecting "some" of its more than 1,000 medical facilities across 21 states.
"We have taken certain systems offline," the statement reads today. Last week, the notice said this included "electronic health record (EHR) and other systems," and blamed "an IT security issue." That detail is missing from the latest missive, linked from the CommonSpirit dot-org website.
"We are continuing to investigate this issue and follow existing protocols for system outages," the update now reads.
A CommonSpirit spokesperson declined to answer The Register's questions about the situation, including those about its scope, remediation activities, and whether it was a ransomware attack, and instead directed us to the "IT issue" statement on the website.
NBC News, citing "a person familiar with its remediation efforts," said the healthcare org was a victim of a ransomware infection.
Infosec experts have supported this conclusion. And Emsisoft analyst Brett Callow, when asked about the CommonSpirit drama, told The Register: "Statistically speaking, a ransomware attack is the most likely explanation for an incident such as this."
Meanwhile, reporters and purported employees of affected hospitals tell stories of overwhelmed emergency room nurses calling 911 for help and medical treatments being postponed due to these system outages.
A person who claimed to work for CommonSpirit posted over the weekend on a Reddit board for nurses complaining that IT systems including patient record software Epic, payroll tools, shift scheduling suite Kronos, and the company intranet were down.
"It is a nightmare," the person said, claiming employees get more information about the cyberattack from the media than from hospital management. "Paper charts only, no organization, no standardization, no leadership in sight. Depending on the unit, some have organized charts and some just have charts thrown all over the place with papers rubberbanded."
Medical staff can't review patients' history, the pharmacy can't verify orders, and lab results are faxed between providers, the Reddit user alleged. "So meds and lab turnaround are hours for anything not stat."
- Huge nonprofit hospital network suffers IT meltdown after 'security incident'
- Ransomware gang threatens 1m-plus medical record leak
- Healthcare organizations face rising ransomware attacks – and are paying up
- Hive ransomware affiliate zeros in on Exchange servers
A Register reader who said her daughter is a nurse at a CommonSpirit hospital, which we have chosen not to identify, said the facility has patients on dialysis machines without current lab reports, and IV medications coming from the pharmacy have hand-written labels "without correct order information."
"Most of the nursing staff is unfamiliar with doing paper charting and handwritten information leads to errors," they told us.
In April, the US Health and Human Services (HHS) agency warned healthcare orgs about the Hive ransomware gang, which HHS described as an "exceptionally aggressive" threat to the health sector.
At least 15 US healthcare systems operating 61 hospitals have been hit by ransomware so far this year, according to Callow. In at least 12 of these infections, miscreants got hold of data including protected health information. ®
Updated to add
Surprise, surprise: CommonSpirit now says it was hit with ransomware. In an updated statement, the hospital chain said:
Upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation, and ensure continuity of care.
Our facilities are following existing protocols for system outages, which includes taking certain systems offline, such as electronic health records. In addition, we are taking steps to mitigate the disruption and maintain continuity of care.
To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement.
We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process.