Articles

Ransomware attack on CommonSpirit Health could affect 20 million Americans

Hackers are targeting the healthcare industry. Health systems are making progress around cyber security, but a great deal remains to be done. The average breach cost within the healthcare industry adds up to more than $10 million. According to analysts, healthcare tends to lag behind other industries in terms of bolstering cyber threat prevention and defense mechanisms.

In recent weeks, one of America’s largest hospital systems, CommonSpirit Health, revealed that it was hit by a ransomware attack. More than two weeks after the attack, portions of the IT systems remained inaccessible, leading to canceled appointments, delayed surgeries and prescription errors.

CommonSpirit Health Breach

The cyber attack on the CommonSpirit Health hospital system could affect as many as 20 million Americans. The organization runs 140 hospitals and more than 1,000 care sites across 21 different U.S. states.

In the immediate aftermath of the incident, the company took certain computer systems offline, as a “precautionary step”. Whether or not information was compromised remains unclear, but patients and their families have reported serious subsequent issues related to care.

According to one mother who brought her son to MercyOne Des Moines Medical Center for dehydration treatment, a doctor informed her that her son was mistakenly given 5X what was prescribed for pain medication after the hospital’s systems were taken offline.

Healthcare breaches at-large

In the U.S. alone, millions of Americans have had their healthcare records breached. During the first half of 2022, federal organizations indicated that there were more than 300 breaches involving a minimum of 500 patient records. If those numbers sound small, some of those attacks affected hundreds of thousands of people.

Healthcare security insights

The expansion of cyber-physical systems in healthcare means that hospitals and healthcare systems must do more to improve cyber security. Healthcare IT leaders need to identify cyber-physical infrastructure that may affect patient safety, create a list of corresponding cyber security priorities, and promptly address them.

If you’re a healthcare leader,  ensure that conversations around cyber security and security vulnerabilities are happening at the executive-level, and that high-level leadership provides direction and stresses priority around managing cyber security.

All healthcare staff members need to understand cyber hygiene best practices and the potential impact of a cyber threat. Leverage the culture of care and empower staff to isolate, report and prevent fallout from cyber attacks. Do the nurses know the signs of ransomware?

Healthcare organizations should also mandate multi-factor authentication, educate around phishing emails, and force periodic password changes.

One of the most powerful controls in a clinical environment consists of segmenting critical medical devices; ensuring that they are separated from a larger network by digital firewalls, which can inhibit the lateral movement of threat actors, preventing large-scale malware and ransomware issues.

Ultimately, countering the growing number of threats and cyber attacks may require building out staff and security operations, investing in MSP options, opting for automation capabilities, rethinking IoMT security, and adopting a consolidated security infrastructure.

For more insights into healthcare enterprise risk and risk management, please see the resources below.

Healthcare security resources

Remember, regardless of the industry that you work in, ransomware attackers tend to strike on weekends and holidays. As you move into the holiday season, consider ensuring that security employees are on-call around the clock and that they will be ready to respond in the event of a cyber attack.

Despite best-in-class cyber security initiatives, no organization is fully immune to cyber attacks. Unpack transformative insightsand learn about resilience strategies when you subscribe to the Cybertalk.org newsletter.

Back to top button