On May 9, Ascension, the largest nonprofit Catholic health system in the United States, announced that it had been the victim of a major cyberattack. This follows the recent large-scale cyber incident at Change Healthcare. However, Ascension's attack is different in that it directly impacted clinical operations across multiple facilities.
After detecting the suspicious activity on its network systems, Ascension immediately began remediation efforts and advised business associates to temporarily disconnect from the systems. It also engaged Google-owned cybersecurity firm Mandiant to assist with the investigation and remediation efforts. Additionally, the medical nonprofit notified all relevant authorities about the suspected cyberattack.
Let's take a closer look at what we currently know about the Ascension cyber incident, and also assess the future impact it may have on the healthcare sector.
Which hospital systems were affected by the Ascension cyberattack?
According to Ascension's cybersecurity event updates page, systems within the organization that are no longer available include:
- Electronic Health Record Systems
- MyChart, which allows patients to view their medical records and communicate with their healthcare providers
- Some telephone systems
- The various systems used to order specific tests, procedures, and medications
“However, out of an abundance of caution, we are temporarily suspending some non-urgent elective procedures, tests and appointments while we work to bring our systems back online,” Ascension said in a statement. Additionally, due to the downtime procedures, several of Ascension's hospitals have been placed on emergency medical services conversion status to ensure emergency cases are triaged immediately.
Ascension owns 142 hospitals, 40 senior care facilities and more than 2,600 nursing homes in 19 states and the District of Columbia. Ascension has not disclosed how many facilities are affected, but there are reports of disruptions at nursing centers in multiple states. Employees at these hospitals have reported that charting, scheduling and prescription writing systems have been affected.
Who is responsible for the Ascension cyberattack?
CNN reported that four sources briefed on the investigation suggested Ascension was hit by a ransomware attack using a Black Buster variant.
According to HHS, the Russian-speaking cyber gang “Black Basta” was first spotted in early 2022 and is known for double extortion-style attacks. In a double extortion ransomware attack, cybercriminals steal sensitive data from victims and encrypt it. The intruders then demand two ransoms: one for decrypting the data and another to prevent the stolen data from being leaked.
Black Basta has targeted at least 20 victims in the first two weeks of activity, indicating the group is technically advanced and has a stable source of initial access. Given its sophistication and the group's reluctance to advertise on dark web forums, we believe Black Basta is a rebranded Russian-speaking ransomware-as-a-service (RaaS) threat group, Conti, or that the group may be linked to other Russian-speaking cybercrime organizations.
On Friday, May 10, the Healthcare Information Sharing and Analysis Center, a cyber threat sharing group for major healthcare providers around the world, released an advisory warning that hackers using the Black Bastar ransomware have “recently accelerated attacks on the healthcare sector.” The advisory said that at least two healthcare organizations in Europe and the United States “suffered significant operational interruptions” last month due to the Black Bastar ransomware, but did not name the organizations.
Black Basta operators are known to use unique tactics, techniques, and procedures (TTPs) for infiltration, lateral movement, data exfiltration, and dropping ransomware. Black Basta ransomware is a cross-platform variant that runs only with administrative privileges on both Windows and Linux systems. The ransomware disrupts the machine's processes and eventually renders desktop files unavailable before sending a ransom note to the victim.
Previous attacks by Black Basta suggest they have used stolen credentials to gain access to an organization's systems. Initial access may have also occurred via a malicious link in a phishing email. Unlike other cyber threat actors, Black Basta uses a variety of tools and remote access methods, including Qakbot (aka QBot), SystemBC, Mimikatz, ColbaltStrike, and Rclone.
After gaining access, the group conducts “name and blame” attacks against its victims. Using the Tor site Basta News, the group publishes the names and descriptions of their victims, the percentage of public data stolen, the number of accesses, and other details about the data leak.
Ascension: The Frontline of Cyber Attacks
The Detroit Free Press reported that Ascension Hospital employees noticed a computer network outage around 7 a.m. on May 8, citing three employees who spoke on the condition of anonymity. “They had security concerns, so they shut the system down,” one doctor said. “It's affected everything.”
Another doctor in Ascension, Michigan, said, “We don't have access to medical records, we don't have access to the lab, we don't have access to radiology or x-rays, we can't give orders. We have to write everything down on paper. It feels like the 1980s and 1990s. You go to the x-ray room and look at the x-rays on film, you call the lab, and they tell you the results over the phone. So it's a lot more cumbersome, but we're trained for these moments.”
“Hopefully this won't last long because it will undoubtedly have a negative impact on patient care,” one doctor said. “The data shows that when computer networks are down, there is an increased risk of adverse events.”
Potential harm to patients from violations
The Change Healthcare incident was unprecedented in terms of the number of healthcare organizations affected and the damage it caused across the industry. The damage from the Change Healthcare breach is expected to exceed $1 billion. However, Change Healthcare primarily handles third-party billing, prior authorizations, and patient claims, whereas the Ascension attack has a direct impact on patient care.
St. Francis Hospital in Wisconsin, for example, was in chaos: “We had no idea who our patients were, when they were coming in, what their instructions were, because we had no access to any of that information,” said Gavin Rice, a diagnostic imaging specialist at St. Francis and a member of the Wisconsin Federation of Nurses and Healthcare Professionals.
Connie Smith, a surgical technologist and president of WFNHP, said nurses can't compare old tests to new ones to determine if a patient's condition has changed, which can be dangerous in certain emergency situations, like when someone has a heart problem. “If they come in in an emergency, the nurses want to compare EKGs,” Smith said.
Rice and Smith said staff are struggling to page doctors and take scans and x-rays, and patients' electronic medical records are currently limited to pen, paper and fax machines, causing delays in vital communications.
In 2017, a systematic review of studies reporting information technology (IT) issues in healthcare and their impact on healthcare delivery and patient outcomes was conducted. Findings showed that usage errors and poor user interfaces hindered receipt of information and led to errors in decision-making. Medication-related errors were also observed. Issues with system functionality, system access, system configuration, and software updates also delayed healthcare. In 53% of the cases reviewed, IT issues were associated with patient harm and death.
Aftermath of the Ascension Cyber Incident
While it is still too early to know, the impact of a cyber attack on Ascension would be significant. First and foremost, patient health is a concern, as an incident of this magnitude could adversely affect patient care. If so, the resulting legal costs could also be significant. As a result of the attack, ambulances were diverted, straining the network's ability to provide essential services. Ascension has relied on emergency back-up procedures to manage patient care across the network's extensive system of hospitals and senior living facilities.
If the Change Healthcare incident is any indicator, regulators are surely watching the Ascension breach closely. On its incident update page, Ascension said it has notified the FBI, the Cybersecurity and Infrastructure Security Agency (CISA), the Department of Health and Human Services (HHS), and the American Hospital Association (AHA). Ascension is also “sharing relevant threat intelligence with the Healthcare Information Sharing and Analysis Center (H-ISAC) to enable industry partners and peers to take steps to protect themselves against similar incidents.”
Following the Change Healthcare breach, the Department of Health and Human Services’ Office for Civil Rights (OCR) decided to open a HIPAA compliance investigation, and only time will tell if a similar investigation will be opened against Ascension.
Ascension, HITRUST, and Future Compliance Issues
The impact of this attack highlighted cybersecurity vulnerabilities in the U.S. healthcare infrastructure and sparked a major discussion about cybersecurity preparedness and response strategies. HITRUST certification is intended to signal to regulators, customers, and stakeholders that they can trust the strength of a certified organization's cybersecurity and data protection program. The HITRUST framework is considered the gold standard for compliance.
At least some components of Ascension, such as its Neighborhood Resource program, are HIPAA compliant and HITRUST certified. Additionally, Ascension is part of an advisory committee that is working with HITRUST and Frist Cressey Ventures to develop data security best practices for startups developing digital health technologies.
As the fallout from the cyberattack on Ascension continues, the full impact remains to be seen. Will patient health be adversely affected? What will investigations reveal? How will regulators respond to this incident? Will healthcare providers face sanctions? In response to this incident, federal agencies such as the FBI and CISA have issued advisories and are working closely with Ascension. These agencies have also issued broader warnings about the growing threat of ransomware attacks against critical infrastructure, including healthcare.
The back-to-back Change Healthcare and Ascension cyber incidents have shaken the healthcare industry to its core, and we will likely see an even greater reliance on certifications such as HITRUST in this space. Undoubtedly, with attacks like this occurring all the time, proving regulatory compliance will become even more important.
The post Ascension Cyberattack Disrupts Healthcare Industry appeared first on Hyperproof
***This is a Security Bloggers Network syndicated blog from Hyperproof written by Erin Nelson. Read the original post here: https://hyperproof.io/resource/ascension-cyber-attack/
