Ransomware attacks on healthcare facilities are becoming a grimly regular occurrence in the United States. One of the latest incidents, affecting the Ascension hospital network, has raised significant concerns about patient safety and the operational integrity of hospitals. Ascension, a nonprofit organization based in St. Louis, oversees 140 hospitals across 19 states. The cyberattack, which began on May 8, has severely disrupted hospital operations, forcing nurses to revert to manual systems and compromising patient care.
The Impact on Healthcare Operations
The ransomware attack has crippled Ascension’s electronic health record (EHR) systems, compelling healthcare providers to manually enter prescription information and manage patient data with paper records. Nurses from Ascension Providence Rochester Hospital in Michigan and another Ascension hospital in Birmingham, Alabama, have reported being overwhelmed and concerned for patient safety. They have highlighted how the absence of digital systems has increased their workload and the risk of medical errors.
One nurse from Ascension Providence Rochester Hospital, a 290-bed facility, explained the dire situation: “People have too many patients for what is safe. Nurses are taking on five or six patients dealing with all of this paper charting.” Another nurse from the 409-bed Ascension hospital in Birmingham added, “It is frightening how many safety guardrails [have been] out of service without any computers.”
Patient Safety at Risk
The shift to paper records has not only increased the burden on healthcare workers but has also directly impacted patient safety. The nurses, speaking anonymously to protect their jobs, detailed their struggles with the abrupt transition. Without access to EHRs, they cannot efficiently track patient orders, lab results, or other critical medical information. This lack of digital support heightens the risk of mistakes in administering medications and monitoring patient conditions.
“I don’t have any orders in the computer,” the Rochester-based nurse said. “I can’t see what labs are ordered and their results.” The reliance on manual systems has also led to significant delays in obtaining lab results, which are crucial for timely medical decisions. A nurse from the Birmingham hospital reported that “stat labs,” which usually take 30 minutes to an hour, are now taking hours to process due to the cyberattack.
Union and Administrative Responses
In response to the crisis, OPEIU Local 40, a union representing nurses at Ascension Providence Rochester Hospital, circulated an online petition expressing deep concerns about the challenges faced by healthcare professionals due to the cyberattack. The petition urged the hospital to implement immediate remedial measures, including reducing the nurse-to-patient ratio to ensure safer patient care.
Ascension’s director of media relations, Mac Walker, addressed the issue in a statement, emphasizing that restoring EHR access was a top priority. “Due to the hard work of our teams over the past several days, we have successfully restored EHR access in our first market and are actively progressing against a plan to restore access across our network on a rolling basis,” Walker stated. However, details about what constitutes Ascension’s “first market” were not provided.
Broader Implications of Ransomware Attacks
The Ascension ransomware attack is not an isolated incident but part of a broader trend affecting the healthcare sector. Last year, the healthcare industry reported 249 ransomware attacks to the FBI, more than any other sector. These attacks often disrupt patient care by cutting off access to electronic health records, forcing hospitals to divert ambulances and cancel appointments, thereby straining nearby facilities.
Health advocates and cybersecurity experts have long warned about the critical impact of cyberattacks on patient care. Research from the University of Minnesota School of Public Health has shown that ransomware attacks can increase hospital mortality rates. Under normal conditions, approximately 3 in 100 hospitalized Medicare patients die, but during a ransomware attack, this number rises to 4 in 100, underscoring the lethal potential of such cyber incidents.
Cybersecurity Challenges in Healthcare
The healthcare sector is particularly vulnerable to ransomware attacks due to several factors. Many hospitals and small clinics lack the resources and expertise to implement robust cybersecurity measures. Basic cybersecurity practices, such as regular software updates and multi-factor authentication, are often inadequately enforced. Moreover, healthcare providers possess vast amounts of sensitive data, making them attractive targets for cybercriminals.
In February, a similar ransomware attack on Change Healthcare, an insurance billing giant, caused widespread disruption. The breach affected billions of dollars of revenue and snarled service at pharmacies nationwide. UnitedHealth Group’s CEO, Andrew Witty, revealed during a congressional hearing that his company paid a $22 million ransom to hackers in an attempt to protect patient data. Despite these efforts, a significant portion of the American population’s health data may have been compromised.
Government and Industry Responses
The federal government is taking steps to address the growing threat of ransomware in the healthcare sector. Following the Ascension and Change Healthcare attacks, the Biden administration announced plans to release minimum cybersecurity requirements for U.S. hospitals. Senior officials from the White House and the Department of Health and Human Services are scheduled to meet with cybersecurity executives from healthcare companies to discuss strategies to bolster defenses against hackers.
Bryan Vorndran, the FBI’s top cyber-focused official, highlighted the strategic considerations of ransomware attackers: “When we look at ransomware targeting, it’s: who is the most easily targetable, who can afford little downtime and who has the highest willingness to pay.” The healthcare sector, with its critical need for continuous operation, fits these criteria, making it a prime target for cyber extortionists.
In Summary
The ransomware attack on the Ascension hospital network has exposed the severe vulnerabilities within the healthcare sector and the dire consequences for patient safety. As healthcare providers continue to grapple with the fallout from such cyber incidents, it is imperative for hospitals, government agencies, and cybersecurity experts to collaborate on strengthening defenses and ensuring the integrity of medical systems.
Ensuring robust cybersecurity in healthcare is not just about protecting data; it is about safeguarding lives. The Ascension incident serves as a stark reminder of the urgent need for comprehensive and proactive measures to defend against the escalating threat of cyberattacks on critical infrastructure. As technology continues to advance, so too must the strategies to protect it, ensuring that the digital tools intended to enhance healthcare do not become liabilities in the hands of cybercriminals.
For More Information
Search queries to help you find more information on the ransomware attack on Ascension Hospitals:
- “Healthcare IT News: Ascension ransomware attack” (This search focuses on healthcare IT news coverage)
- “Dark Reading” – Ascension cyberattack details
- “The Wall Street Journal: Black Basta ransomware targets Ascension hospitals” (Look for articles around May 8th, 2024)
- “Fierce Healthcare” – Ascension data breach updates
- “Search for press releases from Ascension on their investor relations website” (Look for news around May 8th, 2024)
