Patients Affected by Cybersecurity Event at Hospital ChainEHRs Taken Offline at Multiple Hospitals as CommonSpirit Health Responds
Update Oct. 6, 2022 17:27 UTC: Electronic health records vendor Epic contacted Information Security Media Group with a statement distancing itself from the cybersecurity incident at CommonSpirit Health hospitals. The event is "an isolated incident with one customer" that has not affected Epic’s other customers, the company says. Social media chatter this week has speculated that CommonSpirit’s issues were tied to a more expansive security incident at Epic.
CommonSpirit did not immediately respond to ISMG’s inquiry about whether the organization’s Epic EHR systems was targeted by hackers, or whether patient records were taken offline strictly to prevent them from being affected by the other IT systems that were directly impacted.
A cybersecurity incident is affecting medical care delivery in some facilities belonging to Chicago-based CommonSpirit Health, a system of 1,500 healthcare sites across 21 states.
CommonSpirit, the largest Catholic health system and the second-largest nonprofit hospital chain in the United States, "is managing an IT security issue that is impacting some of our facilities," a spokeswoman said in a statement provided to Information Security Media Group.
The spokeswoman characterized a decision to take offline some electronic health records and other systems, which has resulted in some patients being turned away, as a "precautionary" step.
Among the CommonSpirit facilities affected are several Nebraska hospitals, including MercyOne Des Moines Medical Center; multiple Omaha-area facilities including Lakeside Hospital, Creighton University Medical Center-Bergan Mercy and Immanuel Medical Center; and Memorial Hospital in Chattanooga, Tennessee.
Cyber incidents, including ransomware attacks, involving larger healthcare organizations can have outsized impact on their surrounding communities.
Local TV station KMTV reports that Midwestern patients are experiencing difficulties finding care due a concentration of CommonSpirit hospitals in Omaha.
An attempt to make an appointment with her husband's heart doctor was met with a response that "we are not scheduling any new appointments because our computers are down," said Christine McIntosh, a resident of Council Bluffs, Iowa. Calls to other hospitals in metro Omaha resulted in the same response, KMTV reports.
"Our facilities are following existing protocols for system outages and taking steps to minimize the disruption. We take our responsibility to ensure the privacy of our patients and IT security very seriously," the CommonSpirit spokeswoman said.
CommonSpirit Health was formed in 2019 through the merger of Catholic Health Initiative and Dignity Health, and is one of the nation's largest nonprofit healthcare systems. The organization employs 150,000 healthcare professionals across the country, including 25,000 physicians and more than 40,000 nurses.
A multistate healthcare provider with "deep pockets and a large attack surface" would be an attractive target for criminal hackers, particularly for ransomware gangs, says David Kris, an adviser to security firm Theon Technology and a former assistant attorney general at the Department of Justice.
"That's particularly true if a single cyber exploit can be used repeatedly to compromise different parts of the organization simultaneously, or if a single compromise at any one point enables lateral movement inside the organization."
Other factors also contribute to attacks affecting multiple facilities of a healthcare entity that operates in many states.
Former CIA ethical hacker Eric Cole, also an adviser to Theon Technology, says that while some international laws say entities have to store data of citizens in the countries in which they reside, that mandate doesn't exist on a state level. "With the cloud, many of these system are located in one location and all of the locations use the same or similar systems. So as the saying goes, 'a vulnerability by one is often exploited by all.'"