Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Ascension. Show all posts

Cyberattacks Threaten US Hospitals: Patient Care at Risk


 

A severe cyberattack on Ascension, one of the largest healthcare systems in the United States, has disrupted patient care significantly. The ransomware attack, which began on May 8, has locked medical providers out of critical systems that coordinate patient care, including electronic health records and medication ordering systems. This disruption has led to alarming lapses in patient safety, as reported by health care professionals across the nation.

Marvin Ruckle, a nurse at Ascension Via Christi St. Joseph in Wichita, Kansas, highlighted the chaos, recounting an incident where he almost administered the wrong dose of a narcotic to a baby due to confusing paperwork. Such errors were unheard of when the hospital’s computer systems were operational. Similarly, Lisa Watson, an ICU nurse at Ascension Via Christi St. Francis, narrowly avoided giving a critically ill patient the wrong medication, emphasising the risks posed by the shift from digital to manual systems.

The attack has forced hospitals to revert to outdated paper methods, creating inefficiencies and increasing the potential for dangerous mistakes. Watson explained that, unlike in the past, current systems for timely communication and order processing have disappeared, exacerbating the risk of errors. Melissa LaRue, another ICU nurse, echoed these concerns, citing a close call with a blood pressure medication dosage error that was fortunately caught in time.

Health care workers at Ascension hospitals in Michigan reported similar issues. A Detroit ER doctor shared a case where a patient received the wrong medication due to paperwork confusion, necessitating emergency intervention. Another nurse recounted a fatal delay in receiving lab results for a patient with low blood sugar. These incidents highlight the dire consequences of prolonged system outages.

Justin Neisser, a travel nurse at an Indiana Ascension hospital, chose to quit, warning of potential delays and errors in patient care. Many nurses and doctors fear that these systemic failures could jeopardise their professional licences, drawing parallels to the high-profile case of RaDonda Vaught, a nurse convicted of criminally negligent homicide for a fatal drug error.

The health sector has become a prime target for ransomware attacks. According to the FBI, health care experienced the highest share of ransomware incidents among 16 critical infrastructure sectors in 2023. Despite this, many hospitals are ill-prepared for prolonged cyberattacks. John Clark, an associate chief pharmacy officer at the University of Michigan, noted that most emergency plans cover only short-term downtimes.

Ascension's response to the attack included restoring access to electronic health records by mid-June, but patient information from the outage period remains temporarily inaccessible. Ascension has asserted that its care teams are trained for such disruptions, though many staff members, like Ruckle, reported receiving no specific training for cyberattacks.

Federal efforts to enhance health care cybersecurity are ongoing. The Department of Health and Human Services (HHS) has encouraged improvements in email security, multifactor authentication, and cybersecurity training. However, these measures are currently voluntary. The Centers for Medicare & Medicaid Services (CMS) are expected to release new cybersecurity requirements, though details remain unclear.

The American Hospital Association (AHA) argues that cybersecurity mandates could divert resources needed to combat attacks. They contend that many data breaches originate from third-party associates rather than hospitals themselves. Nevertheless, experts like Jim Bagian believe that health systems should face consequences for failing to implement basic cybersecurity protections.

The cyberattack on Ascension calls for robust cybersecurity measures in health care. As hospitals consolidate into larger systems, they become more vulnerable to data breaches and ransomware attacks. Health care professionals and patients alike are calling for transparency and improvements to ensure safety and quality care. The situation at Ascension highlights the critical nature of cybersecurity preparedness in protecting patient lives.


Ascension Ransomware Attack: Worker Error Leads to Data Breach and Recovery Efforts

 

Ascension, one of the largest health systems in the country, recently revealed that a ransomware attack on its systems was due to a worker accidentally downloading a malicious file. The health system emphasized that this was likely an honest mistake. Importantly, Ascension noted there is no evidence that data was taken from their Electronic Health Records (EHR) or other clinical systems, where full patient records are securely stored. 

However, the attackers managed to access files containing Protected Health Information (PHI) and Personally Identifiable Information (PII) for certain individuals. With the help of third-party cybersecurity experts, Ascension has gathered evidence indicating that the attackers extracted files from a small number of file servers used primarily for daily tasks by its associates. These servers represent seven out of approximately 25,000 servers across Ascension’s network. 

Currently, Ascension is uncertain about the specific data affected and the identities of the impacted patients. To determine this, a comprehensive review and analysis of the compromised files is underway. Ascension has started this process, but it is a substantial task that will require significant time to complete. As a precaution, Ascension is offering complimentary credit monitoring and identity theft protection services to any patient or associate who requests it. Those interested can call the dedicated call center at 1-888-498-8066. 

The cyberattack, reported on May 8, caused significant disruptions, including shutting down access to electronic health records across Ascension’s 140 hospitals and leading to delays in patient care. On a positive note, Ascension announced on Friday that EHR access has been restored across its hospitals. This restoration means that clinical workflows in their hospitals and clinics are functioning similarly to pre-attack conditions, improving efficiencies in appointment scheduling, wait times, and prescription fulfillment. However, medical records and other information collected between May 8 and the date of local EHR restoration may be temporarily inaccessible.  

Despite this progress, the investigation into the incident is ongoing, along with efforts to remediate additional systems. The cyberattack on Ascension is part of a larger trend of ransomware attacks targeting healthcare systems. In a related incident, Change Healthcare, affiliated with UnitedHealthcare, faced a ransomware attack on February 21. UnitedHealth Group CEO Andrew Witty disclosed to a House subcommittee that he paid $22 million in bitcoin to protect patient information during this attack. 

Ascension has not made any statements about ransom payments but confirmed last month that the attack was ransomware-related, with class action lawsuits citing a Black Basta ransomware attack. As Ascension continues its recovery and investigation, it underscores the need for heightened cybersecurity measures and vigilance to protect sensitive health information from cyber threats.

From Crisis to Continuity: Ascension Ransomware's Ongoing Toll on Healthcare

 


In response to a recent ransomware attack that affected the care of eight Detroit-area hospitals, Ascension Michigan is providing more information about how a recent ransomware attack is affecting patient care. In May, St. Louis-based Ascension reported a major attack on its nationwide healthcare services, which resulted in some hiccups in the care nationwide. 

Ascension has been working hard to resolve those issues. There are hospitals in Novi, Rochester Hills, Southfield, Madison Heights, Warren, Detroit, East China Township and Grand Blanc that are all located in Southeast Michigan. It is still a fact that some of the patient documentation and records are still being handled manually and on paper since the attack occurred, which is still in effect in some cases.

A statement from Ascension Michigan late Monday, May 13, said that all 15 Michigan hospitals, physician offices, and care centres remain open, but things are not as normal as they seem. Even though Ascension hospitals and facilities are open and continuing to care for patients, the system says that some of their patient services are being affected. Some procedures, appointments, and tests have been postponed because of the cyberattack. 

To cope with the cyberattack, some Ascension hospitals are diverting patients to other hospitals. According to the system, appropriate steps are being taken to handle emergencies appropriately. In a statement issued by Ascension, the company said, “Safety remains our top priority as we navigate this cybersecurity incident.” Ascension operates 140 hospitals and 40 senior centres in 19 states and Washington, D.C. Based in St. Louis, the company runs 140 hospitals and 40 senior centers. 

A statement has been issued by Ascension that the patient portal MyChart and electronic health records have gone offline. Paper records are used in the system and orders for medication, diagnostic tests, and other records are completed manually by the doctor. According to the St. Louis-based parent company, which announced a ransomware attack about a week ago, the system is making some progress after working around the clock over the weekend. 

Besides the Saint Thomas hospital system that it runs throughout the state, the company also operates several other healthcare facilities, including physical therapy offices, sleep centres, and heart hospitals as well. Throughout the event on May 8, Ascension was providing updates on the situation. The following day, the company issued a statement stating it was working with several law enforcement agencies to investigate a suspected ransomware attack that was detected on the company's servers. 

The company also confirmed the next day that the unusual activity had been caused by ransomware. Several organizations, including the American Hospital Association, have pointed to Black Basta, a well-known Russian-speaking ransomware gang, as being responsible for the attack. The company has not yet commented on who is behind the attack. The U.S. government requires health companies to report breaches that affect more than 500 people within 60 days. 

The Department of Health and Human Services is responsible for health care delivery. Ascension has not yet been listed in the agency's complaint portal which indicates that it is investigating this attack. Although there have been 23 other cases of these sorts in Tennessee over the past few years, the report does mention 23 others. Among black market data, health data is worth more than credit card numbers and social security numbers on the black market. 

Over the past five years, there has been at least a double-digit increase in cyberattacks targeting U.S. healthcare companies. Throughout each of Ascension Michigan's emergency departments, walk-in patients are welcome to receive care, according to the statement. The "diversion process" in some cases has been implemented in Ascension facilities, in which ambulances bypass these facilities and go to another location instead of going to an Ascension facility. 

Several factors may affect the decision to divert patients, as well as several factors in your community, such as the severity and frequency of the case, the service lines available, and the availability of the facility. Ascension said it had communicated with emergency medical service providers regarding the facility's availability. 

According to a press statement issued by Ascension, patients suffering from medical emergencies are advised to call 911 and first responders will send them to the appropriate hospital based on their needs. According to the statement released by Ascension, the project will affect different Michigan hospitals in different ways. Ascension Ransomware Incident Continues to Impact Patient Services In the aftermath of the recent Ascension ransomware attack, patients scheduled for elective surgeries are advised to adhere to their original appointments unless otherwise notified by Ascension staff. However, due to the transition to manual systems for patient documentation, patients may experience prolonged wait times and potential delays during their visits. 

To expedite the process, patients are encouraged to bring detailed notes on their symptoms and a comprehensive list of current medications, including prescription numbers or bottles. Diagnostic tests, crucial for patient care, have faced temporary delays in some facilities as resources are redirected to prioritize inpatient and emergency services. Patients requiring rescheduled diagnostic imaging and testing will be promptly contacted by Ascension. 

Despite the operational challenges posed by the attack, Ascension Michigan's doctor’s offices and care sites remain open during regular business hours, with scheduled appointments proceeding as planned in most cases. Patients will be notified promptly if rescheduling becomes necessary. Similarly, patients are advised to carry comprehensive documentation of their symptoms and medications to facilitate smooth consultations. Pharmacy services within the Ascension network continue to operate, albeit with certain limitations. 

While prescriptions can still be filled, patients are requested to provide their prescription bottles from prior fills. Furthermore, Ascension pharmacies are unable to process credit card payments at this time. Ascension has not provided a definitive timeline for the restoration of normal system operations. Additionally, the organization is conducting an ongoing investigation, in collaboration with the FBI, to ascertain the extent of any potential compromise to patients' personal information. 

Affected patients will be duly notified if their data has been impacted. Of notable significance, the ransomware incident occurred amidst an ongoing joint venture between Ascension and Henry Ford Health, aimed at integrating eight southeast Michigan Ascension hospitals and an addiction treatment facility in Brighton into the Henry Ford Health System. This venture, announced in the previous fall, is anticipated to be finalized and branded Henry Ford Health in the summer of 2024.

It is important to clarify that this venture does not constitute a merger or acquisition, as stated by both healthcare entities. In conclusion, while Ascension works diligently to restore normalcy to its operations, patients are encouraged to remain vigilant and patient amidst any potential disruptions to their healthcare services.