CommonSpirit’s Ransomware Incident Taking Toll on Patients

The cybersecurity incident roiling the fourth-largest hospital system in the United States is a ransomware infection, CommonSpirit Health confirmed Wednesday.

See Also: Building a Secure IoT Deployment Using 5G Wireless WAN

The attack, now in its second week, forced the nonprofit Catholic chain of 142 hospitals and nearly 2,200 care sites across 21 states to take systems offline, including electronic health records.

Loss of IT systems is more than an inconvenience: Their absence has delayed surgeries and in one Iowa hospital led to a toddler receiving an accidental megadose of painkillers.

“The resident told us it was a mistake due to the hospital’s systems being down,” the toddler’s mother, Kelley Parsi, tells Information Security Media Group.

Staff at the chain’s MercyOne Des Moines hospital on Monday administered a steroid and Tylenol with codeine to Jay Parsi, 3, after he was admitted to the emergency room following an earlier routine surgery. Shortly afterward, a physician informed the child’s parents that he had accidentally been given a dose of medication five times more than what was prescribed – twice the amount that should have been prescribed based on his age and size.

Because he spit out some of the medicine, hospital staff ultimately did not administer Narcan, a medication used to counter overdoses of opioids, Kelley Parsi says.

“I just want other parents and patients aware of what could happen when a hospital’s systems aren’t working. It was a nightmare,” the mother tells ISMG.

Neither MercyOne nor CommonSpirit immediately responded to ISMG’s request for comment. The Des Moines Register first reported the incident.

“Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created,” CommonSpirit says in an updated statement.

Ransomware’s Pernicious Effect on Healthcare

Ransomware criminals have ramped up attacks against the medical center despite the consequences felt by patients. A recent Ponemon Institute survey of healthcare IT and security professionals found that of about 245 who said their organizations had suffered a ransomware incident, 67% believed the cyber incidents affected patient care, including delayed tests or procedures, longer stays, and a rise in mortality rates.

A September 2021 analysis by the Cybersecurity and Infrastructure Security Agency says cyberattacks can contribute to increased patient mortality by degrading hospital capacity.

Last year, an Alabama mother linked the death of her 9-month-old baby to brain damage suffered during delivery, which occurred at a hospital in the throes of a ransomware attack. Her medical malpractice lawsuit is believed to be the first against a hospital related to a ransomware attack (see: Lawsuit: Hospital’s Ransomware Attack Led to Baby’s Death).

“The reliance on the electronic medical record continues to grow and that is to be expected,” says Susan Lucci, senior privacy and security consultant at tw-Security. Information like allergies, recent diagnoses, and current medications can influence patient care decision-making, she says. “This is another reason why everyone should have their own medical records, their dependent children, or aging parents in some format in the event that access to the EHR is not available.”

Spotty Impact

CommonSpirit says in a Wednesday statement that after discovering the ransomware attack, it took immediate steps to contain the incident, initiate an investigation and ensure continuity of care.

“Our facilities are following existing protocols for system outages, which includes taking certain systems offline, such as electronic health records.” The organization says it has notified law enforcement and is continuing to conduct a forensics investigation to determine whether data was affected.

The effect of the incident across CommonSpirit’s many facilities appears to vary widely. Systems serving the chain’s Dignity Health-branded facilities in California and Seattle’s Virginia Mason Medical Center have had minimal impacts on operations, CommonSpirit says.

The Catholic hospital chain is the result of several mergers and acquisitions involving other healthcare organizations, including the combination of Catholic Health Initiatives and Dignity Health in early 2019.

The “mix and match” of IT systems across CommonSpirit in the wake of its various mergers and acquisitions is likely a key factor in why the ransomware affected some parts of the organization and not others, says Keith Fricke, principle consultant at tw-Security.

It’s also possible that some elements of the hospital chain simply have better cybersecurity visibility and response capacities, Fricke says.

IT architectural differences could also be a factor, says Anthony Martinez, vice president of consulting services at Clearwater. “Should routing and switching prevent connectivity to a certain facility or facilities, an attacker would not have the opportunity to pivot in that direction.”