Cyber experts hope CommonSpirit's crippling attack will spur hospitals to tighten defenses—and government to play offense

CommonSpirit Health continues to respond to and recover from a cyberattack that began in early October, which the health system is now classifying as a ransomware attack.

Over two weeks later, portions of the country’s second-largest nonprofit health system remain without full access to IT systems.

Electronic health record systems have been locked, surgeries delayed, appointments canceled and prescriptions left unfilled. CommonSpirit’s subsidiary CHI Memorial restored some EHR functions in its three affected hospitals as of Oct. 21, more than two weeks after the reported beginning of the attack on Oct. 3.

“We are in the process of restoring those systems that were taken offline,” a CHI Memorial spokesperson wrote in an email to Fierce Healthcare. “Our hospital electronic health record system is back online, and our hospital providers are now able to access their patients’ electronic health records. Some system functionality, including patient access to MyChart, is expected to be available in the coming days … It will take some time before we can restore full functionality and we continue work to bring our systems up as quickly and safely as we can.”

Cyber experts think the breach may be the thing to take the crisis of healthcare cybersecurity out of obscurity, drive the tightening of hospital defenses and create needed support for health systems.

CommonSpirit operates 142 hospitals and over 2,200 sites of care within 21 states. Reports from care centers themselves cover the country with the Chicago-based system stating that there was no impact to clinics, patient care and associated systems at Dignity Health, Virginia Mason Medical Center, TriHealth or Centura Health facilities.

Subsidiaries that reported being affected by the attack include CHI Health facilities in Nebraska and Tennessee, Seattle-based Virginia Mason Franciscan Health providers, MercyOne Des Moines Medical Center, Houston-based St. Luke's Health and Michigan-based Trinity Health System. Full access in CHI Memorial’s MyChat system and outpatient locations has yet to be recovered. It is unclear how extensively the ransomware attack affected all centers for medical care.

CommonSpirit shared that it was in the process of conducting a forensics investigation to pinpoint the nature and entry point of the attack. Through the investigation, it will determine whether data were impacted, the health system said.

Speculative “post-mortem” on the CommonSpirit breach

Jon Moore, chief risk officer and senior vice president of consulting services at Clearwater Compliance, imagines that the health system is currently conducting a “post-mortem” while it works to bring all its systems back online. Clearwater is a software company focusing on cybersecurity and HIPAA compliance.

Due to remediation time, potential loss of reputation, being targeted for follow-up attacks and the increase in civil litigation related to health cybersecurity attacks, CommonSpirit may emulate its predecessors by remaining tight-lipped post-attack.

Moore speculates that the fractured nature of the attack may be due to unintegrated IT systems across CommonSpirit’s various acquisitions. There may be network segmentation that limited the spread of the ransomware, or the attack might have been caught early.

While the resources and bigger cyber liability insurance policies of a health system the size of CommonSpirit may have made it a target, Moore said those unintegrated systems that are to be expected after mergers and acquisitions perhaps provided a natural moat against further damage.

“There's a lot of complexity in an organization like that, from an IT perspective,” Moore said. “And in some ways, that's beneficial in these instances, because we don't have all of our eggs in the single basket that broke. But on the other hand, you know that that complexity also increases our attack surface, it also makes it harder to manage it and IT security as a whole. It makes it more expensive to manage as well.”

Moore uses insurance trends as a key to better understand the black box of hospital cybersecurity. Over the last few years, he has seen cyber liability insurance policy premiums double.

But while the rest of the world may only now be learning that hospital cybersecurity attacks are not a matter of “if” but “when,” insurance companies are far ahead of the game with premiums recently plateauing.

Insurance carriers also now require organizations to put certain controls in place before coverage is issued, including multifactor authentication. Many plans do not include extortion fees, thereby discouraging paying ransoms that could lead to attack cycles.

“These insurance companies have a lot more data because they're more actively engaged in these things,” Moore said. “They have a lot more insight into what's really happening and what the costs are associated with these kinds of breaches, what they're having to pay off and the controls that might have mitigated or prevented the attacks.”

Moore suggests hospitals, that haven’t already, start with a business impact analysis to create a hierarchy of which systems to protect and which systems need to be back online first. Be aware that decreasing refractory time following an attack becomes exponentially more expensive, he said.

For example, if a hospital determines that medical devices can be down no longer than 15 minutes, they must be willing to pay for that time. Then, after following HIPAA security rules, systems need to be tested.  

Anneka Gupta, chief product officer at security software company Rubrik, suggests that health systems take note of how long it has taken CommonSpirit Health to recover from the attack. It does not need to take that long, Gupta said. If the right plan is in place, that recovery period can be shortened.

Gupta calls the stage of preparation and testing “people, processes and technology.”  Staff can be trained against phishing; simulations can be done; data can be strategically backed up.

Rubrik asserts that there is no “one-size-fits-all” model for creating a plan, especially in a complex health system constantly embroiled in mergers and acquisitions.  Even on the software side, there’s a mosaic of different solutions, Gupta said.

Rubrik suggests organizations do table-top exercises with all relevant parties. “If IT operations and security operations have not talked before you’re in the middle of a ransomware attack, that’s not where you want to be,” Gupta said.

Rubrik designs a software approach to ensure that data have native immutability and are stored where attackers can’t reach them so the data can be recovered quickly. Gupta said legacy providers that were relying on old technology are now modernizing themselves in this way.

While she doesn’t imply that hospitals are negligent, she sees many health systems outfitted with outdated systems, conflicting priorities and technological needs that are difficult to meet.

“The talent that you need today is also very different than the talent that you needed 10 years ago, and how do we make sure that in this country there’s enough cybersecurity talent trained?” Gupta said. “The companies that can pay for that talent are typically technology companies, but, when you look at healthcare or other infrastructure, those organizations have a much harder time hiring the top talent because they can’t pay. That’s something we’re fighting with as well: Can technology fill some of those gaps?”

With an increase in Russian cyberattacks and malicious infiltration from foreign actors, she says now is a necessary time to increase defenses.

Hospitals ramping up cyber defenses based on lessons learned

It has not been confirmed whether CommonSpirit Health had backups of their data or if they paid extortion fees, which experts say can not only create attack cycles but also a precedent for cyberattacks overall.

Insurance companies have joined a chorus urging companies to not pay, but Lee Kim, senior principal of cybersecurity and privacy at the Healthcare Information and Management Systems Society, says judging organizations for doing so is the wrong perspective.  

Even if there are backups or a ransom is paid, systems often still have to be rebuilt, Kim noted.

Her main piece of advice for health systems? Get all departments vital to a health system involved in cybersecurity training and emergency procedures in the event of a cyberattack.

“Does that nurse or doctor know the telltale signs of ransomware?” Kim said. “Do they know who to contact if they suspect an event? Do they take part in the training that occurs as opposed to approaching ransomware in an ad hoc fashion?”

Patients reported clinicians using paper charting at CommonSpirit facilities; Kim says clinicians should be trained in how to work analog systems. They should know how to communicate when systems are down, where to run labs and where to divert patients.

Hospitals are relying on Band-Aid approaches until a significant event occurs, Kim noted. Anti-ransomware technology is helpful, but phishing is socially engineered, which makes people the weak link in an organization. 

“Laws and regulations likely can't keep step with the ever-advancing attacks and aggressiveness of what's happening offensively,” she said. “At the very least, having more information pushed to us as to what we could do to improve our cybersecurity posture using learnings from the government would be helpful.”

Community hospitals in rural settings already struggling under the burden of understaffing are in a particularly vulnerable position, according to Kim. Government leaders need to be aware that with new regulations, some hospitals may be able to afford security, and some may not, she noted.

She suggests a slow implementation of new regulations along with placing patient safety and security at the front of mind by including key clinicians when designing defense structures and response plans.

Cybersecurity has become a top-tier priority, according to John Riggi, the American Hospital Association’s (AHA's) national adviser for cybersecurity and risk. Hospitals can do a lot on defense, he said, with an emphasis on patient care and safety.

“Just as in any disaster or high impact event, a hurricane or tornado, hospitals make great efforts to triage patients, and they will treat the most critical patients that they have to and divert patients to other facilities which may have their capacity to treat them,” Riggi said. “There is a triage and a downtime process that's put in place just as they would for any major event, even a physical disaster.”

Riggi points to the 2021 cyberattack on the University of Vermont Medical Center as the first widespread publicity about a cybersecurity incident as attacks against hospitals ramped up during the COVID-19 pandemic. As many do in the field, he nods to the center's president and CEO Steve Leffler for sharing the lessons learned from the attack and spurring on the industry to catch up with the threat.

Hospitals are ramping up cyber defenses and assessing chinks in the armor, Riggi noted. He sees more hospitals putting downtime procedures into place to compensate for the potential of one to four weeks without medical technology.

Healthcare wants more government help to fight off attackers

Up against the digital infiltration of hostile nation states, hospitals can play technical defense, Riggi noted. “But ultimately, we cannot be successful unless there is a compatible offensive strategy as well by the government.”

“The security of medical devices has been a long, long concern in the healthcare industry, mainly because many of the devices were built very well,” Riggi said. “They were built around 15 or 20 years ago. When these devices were brought online years ago, they did not have the built-in cybersecurity protections necessary to help defend against current threats that we now have.”

The AHA has been a vocal supporter of the Protecting and Transforming Cyber Health Care (PATCH) Act, which would have mandated cybersecurity controls be put in place by manufacturers. However, the FDA appropriations bill passed in September without the cybersecurity requirements.

Sens. Patty Murray and Richard Burr and Rep. Frank Pallone reasserted Congress’ commitment “to revisit these key priorities” ahead of the December government funding deadline.

Recent AHA-supported legislation also includes the Healthcare Cybersecurity Act. The bipartisan bill, which has been introduced in the House and Senate, would direct the Cybersecurity and Infrastructure Security Agency to collaborate with the Department of Health and Human Services to improve cybersecurity.

In announcing the act, Sen. Jacky Rosen cited the status of hospitals and health centers as a part of critical infrastructure that when compromised can drive up the cost of care and create negative patient health outcomes.

The measured impact on patient safety also was emphasized in a poll released in September by the Ponemon Institute.  

While Riggi agrees that patients’ safety is at risk, the AHA released a blog post stating that the Ponemon poll does a disservice to healthcare providers and propagates the myth that hospitals are to blame for ongoing attacks.

“First, that assumes it's a low priority, not the case,” Riggi said. “It also assumes that if you are attacked, you were somehow negligent—not the case, even the federal government cannot 100% prevent attacks against their own agencies, so no one is immune.

"Until the government provides a safe harbor from regulatory and civil action, hospitals will always be concerned about speaking out. There's often this feeling by the victim organizations that they are exposed to re-victimization due to regulatory and civil actions which follow whether they have merit or not," he said.