Ascension, a health care system with 140 hospitals in 19 states and Washington, D.C., and tens of thousands of employees and affiliated providers, reported a “cyber security event” on Wednesday. This event has caused a “disruption to clinical operations” within the company. Major impacts to medical services have been observed in several states, such as Kansas, Florida, and Michigan. This disruption has led to some patients being diverted to other hospitals and a lack of access to digital records.
The situation with Change Healthcare has reignited the conversation around establishing minimum cybersecurity standards for the hospital industry. Industry groups have expressed their commitment to fighting against the implementation of such standards. Health care remains one of the most targeted sectors by ransomware operators, likely because disruptions to medical services are intolerable for long periods, and operators might be more inclined to pay extortions as indicated by cybersecurity firm Emsisoft.
Physicians in Michigan revealed that they are now required to write everything on paper due to the cyber security event. The situation has taken the medical facilities back to the technology levels of the 1980s or 1990s. This attack comes at a time when lawmakers and federal regulators are still dealing with the aftermath of the February attack on Change Healthcare, which exposed private data on a significant number of Americans according to company estimates. Change Healthcare admitted to paying $22 million to the ALPHV ransomware group, which then shut down its site. An affiliate who was allegedly involved in the attack took 4 terabytes of data to another extortion site after being cut out of the proceeds.
