Ransomware, Incident Response, Privacy

Patient data stolen in Ascension ransomware attack, but EHR restored

Electronic medical record with patient data and health care info

Ascension this week made two follow-up announcements around the Black Basta ransomware attack that forced the non-profit healthcare provider to shut down its systems across 142 hospitals and 40 senior facilities in early May and resort to filling out charts on paper.

On June 12 Ascension said attackers stole files that may contain the protected health information (PHI) and personally identifiable information (PII) of patients. Ascension said an employee working in one of its facilities accidentally downloaded a malicious file that they thought was legitimate.

“We have no reason to believe this was anything but an honest mistake,” said the non-profit.

Wednesday’s announcement was followed on June 14 with news that electronic health record access was restored across the Ascension health system. Ascension said this means that clinical workflow in its hospitals and clinics will function similar to the way it did prior to May's ransomware attack.

“The Ascension announcement is not a surprise, the Health Sector Coordinating Council identified social engineering as the first attack vector to be concerned about when prioritizing risk remediation,” said Toby Gouker, chief security officer at First Health Advisory, and an SC Media columnist. “I applaud the transparency here, which is not common or required, but goes a long way to support the patients impacted and other entities that should review their systems and processes to prepare for similar outcomes.”

Gouker added that bad actors talk all the time about what works on medical facilities, and we need to share far more on what they are doing and our actions to lessen the impact.

“Phishing, social engineering, and other cyberattacks will continue to happen, even to the best of us because of the asymmetry of the contest,” said Gouker. “What’s crucial is to focus on recovery and building resilience.”

Ashley Leonard, founder and CEO of Syxsense, pointed out that there are two important differences in Ascension’s response versus the response from United Healthcare after the Change Healthcare incident earlier this year.

Leonard said Ascension's latest posts demonstrated a clear difference in culture. Ascension framed the latest details as an employee's inadvertent role in the cyberattack. This lack of blame put on the employee (at least externally) is quite different than former cyberattacks, for example SolarWinds, where CISO Tim Brown still faces legal charges from the 2020 incident.

“The truth is simply that humans make mistakes,” said Leonard. “To pressure IT and security staff to be perfect 100% of the time is simply not a strategy.”

Most notable, Leonard continued, is Ascension's overall incident response. Leornard said it’s clear that Ascension had an incident response plan that includes critical crisis communications activities, and they are following the plan.

“It certainly seems like they understand that in the absence of information, speculation floods in,” said Leonard. “Incident response isn't only restoring operations, but restoring trust. This straightforward piece of information enables Ascension's team to focus on restoring both as fast as possible. You can see that in the markedly shorter downtime that Ascension is experiencing, whereas Change Healthcare operations are still not back to normal.”

John Bambenek, president at Bambenek Consulting, added that Ascension offers a wealth of information, which goes a long way to calming patients and restoring trust. That said, Bambenek said a ransomware attack occurs because of a series of technical failures.

“Sure, a human may have accidentally downloaded something they shouldn’t have,” said Bambenek. “However, there were many controls before and after which are commonly available to prevent a mouse click from downing an entire healthcare conglomerate.” 

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

You can skip this ad in 5 seconds