Hospital Chain’s Patient Portals, Other IT Still Offline

Patient care continues to be disrupted at the U.S.’s fourth-largest hospital system as its response to a cyber incident enters a second week.

See Also: Building a Secure IoT Deployment Using 5G Wireless WAN

Patient portals, electronic prescriptions and some other IT systems are still unavailable at an undisclosed number of locations in the CommonSpirit Health network, the largest Catholic health system and the second-largest nonprofit hospital chain in the United States. It consists of 1,500 healthcare medical clinics and hospitals across 21 states (see: Patients Affected by Cybersecurity Event at Hospital Chain).

CommonSpirit first disclosed Oct. 4 an “IT security issue” forcing it to reschedule some patient appointments. NBC news reports the issue is ransomware.

Ransomware is a mounting threat for the healthcare industry, which attracts cybercriminals by having quantities of sensitive data, an often-earned reputation for poor cybersecurity and the perception that most physicians would rather pay the ransom than disrupt medical care. Cybersecurity firm Sophos reports that two-thirds of the healthcare organizations it surveyed reported a ransomware attack in 2021.

A notice posted on the website of CommonSpirit’s Midwestern subsidiary CHI Health says the organization has canceled, delayed or rescheduled some patient appointments and procedures “on a case-by-case basis.” Patient access to the Epic MyChart patient portal has been “temporarily suspended.”

CHI is telling patients out of prescription refills to have their pharmacist directly contact their caregiver for written reauthorization. “Nebraska and Iowa law allows for written prescriptions in emergency situations,” CHI Health says.

MercyOne, which operates 230 hospitals and other care locations in Iowa and is also part of CommonSpirit, on Oct. 6 released a statement saying it was unable to schedule appointments online in central Iowa.

“While it is difficult to assess CommonSpirit’s situation and response without knowing further details, this is a nightmare any large system faces,” says Kate Borten, president of privacy and security consultancy The Marblehead Group.

Some have speculated that CommonSpirit’s issues are tied to a more expansive security incident at electronic health records vendor Epic. The company in a statement to Information Security Media Group says the IT incident is “an isolated incident with one customer” that has not affected Epic’s other clients.

The consequences of a ransomware attack on healthcare systems are potentially fatal. No death has yet been directly attributed to ransomware, but a September 2021 analysis by the Cybersecurity and Infrastructure Security Agency says cyberattacks can contribute to increased patient mortality by degrading hospital capacity.

Borten says that the electronic interconnections between facilities of large healthcare entities are generally beneficial to providers and patients but they can become “major points of vulnerability,” allowing attacks to spread.

“This crisis will test CommonSpirit’s disaster recovery, incident response and business continuity plans,” Borten says.

Often, these plans are neglected, incomplete, out-of-date or untested by covered entities and business associates, she says. “They tend to be ‘back-burnered’ in favor of putting resources to work on more immediate issues and projects.”

“This is a good time for large and midsize organizations to review their data flow connections and ensure there are appropriate and tested processes for shutting off or isolating infected areas,” Borten says.

Paige Peterson Sconzo, director of healthcare services at security firm Redacted Inc., says the biggest takeaway from the CommonSpirit incident is a need for organizations to prioritize network segmentation to isolate systems that support patient care and reduce possible breach impact.

“Network segmentation is a vital bulwark to ensuring life-critical care is uninterrupted during both attack and remediation,” she says.

She recommends “double- and triple-checking” the existing incident response plan and ensuring key stakeholders, from unit charge nurses up to the CEO, understand their roles. “Everyone needs to understand how to remain operational should an attack occur.”

Finally, she adds, performing annual risk assessments that take into account the reality of the current environment can help limit risk from these types of incidents.