By Rachana Pradhan and Kate Wells
A May 8 ransomware attack against Ascension, a Catholic health system with 140 hospitals in at least 10 states, locked providers out of systems that track and coordinate nearly every aspect of patient care. They include its systems for electronic health records, some phones, and ones “utilized to order certain tests, procedures and medications,” the company said in a May 9 statement.
More than a dozen doctors and nurses who work for the sprawling health system told Michigan Public and KFF Health News that patient care at its hospitals across the nation was compromised in the fallout of the cyberattack over the past several weeks. Clinicians working for hospitals in three states described harrowing lapses, including delayed or lost lab results, medication errors, and an absence of routine safety checks via technology to prevent potentially fatal mistakes.
READ clinicians’ stories as they grappled with a return to paper records.
Despite a precipitous rise in cyberattacks against the health sector in recent years, a weeks-long disruption of this magnitude is beyond what most health systems are prepared for, said John Clark, an associate chief pharmacy officer at the University of Michigan health system.
“I don’t believe that anyone is fully prepared,” he said. Most emergency management plans “are designed around long-term downtimes that are into one, two, or three days.”
“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” said Jeff Tully, a co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego. “These types of cybersecurity incidents should be thought of as a matter of when, and not if.”
Josh Corman, a cybersecurity expert and advocate, said ransom crews regard hospitals as the perfect prey: “They have terrible security and they’ll pay. So almost immediately, hospitals went to the No. 1 target of ransomware.”
In 2023, the health sector experienced the largest share of ransomware attacks of 16 infrastructure sectors considered vital to national security or safety, according to an FBI report on internet crimes. In March, the federal Department of Health and Human Services said reported large breaches involving ransomware had jumped by 264% over the past five years.
A cyberattack this year on Change Healthcare, a unit of UnitedHealth Group’s Optum division that processes billions of health care transactions every year, crippled the business of providers, pharmacies, and hospitals.
In May, UnitedHealth Group CEO Andrew Witty told lawmakers the company paid a $22 million ransom as a result of the Change Healthcare attack — which occurred after hackers accessed a company portal that didn’t have multifactor authentication, a basic cybersecurity tool.
The Biden administration in recent months has pushed to bolster health care cybersecurity standards, but it’s not clear which new measures will be required.
In January, HHS nudged companies to improve email security, add multifactor authentication, and institute cybersecurity training and testing, among other voluntary measures. The Centers for Medicare & Medicaid Services is expected to release new requirements for hospitals, but the scope and timing are unclear. The same is true of an update HHS is expected to make to patient privacy regulations.
HHS said the voluntary measures “will inform the creation of new enforceable cybersecurity standards,” department spokesperson Jeff Nesbit said in a statement.
“The recent cyberattack at Ascension only underscores the need for everyone in the health care ecosystem to do their part to secure their systems and protect patients,” Nesbit said.
Meanwhile, lobbyists for the hospital industry contend cybersecurity mandates or penalties are misplaced and would curtail hospitals’ resources to fend off attacks.
“Hospitals and health systems are not the primary source of cyber risk exposure facing the health care sector,” the American Hospital Association, the largest lobbying group for U.S. hospitals, said in an April statement prepared for U.S. House lawmakers. Most large data breaches that hit hospitals in 2023 originated with third-party “business associates” or other health entities, including CMS itself, the AHA statement said.
Hospitals consolidating into large multistate health systems face increased risk of data breaches and ransomware attacks, according to one study. Ascension in 2022 was the third-largest hospital chain in the U.S. by number of beds, according to the most recent data from the federal Agency for Healthcare Research and Quality.
And while cybersecurity regulations can quickly become outdated, they can at least make it clear that if health systems fail to implement basic protections there “should be consequences for that,” Jim Bagian, a former director of the National Center for Patient Safety at the Veterans Health Administration, told Michigan Public’s Stateside.
Patients can pay the price when lapses occur. Those in hospital care face a greater likelihood of death during a cyberattack, according to researchers at the University of Minnesota School of Public Health.
Rachana Pradhan is a reporter with KFF Health News. Kate Wells is a reporter with Michigan Public.
KFF Health News is a national newsroom that produces in-depth journalism about health issues and is one of the core operating programs at KFF—an independent source of health policy research, polling, and journalism. Learn more about KFF.
Chivaroli and Associates Insurance Services is a full-service brokerage firm specializing in the custom-design and placement of insurance and alternative risk funding solutions for your healthcare organization.