Share

Your Hospital Is Under Cyberattack. Now What?


Hospitals nationwide were forced to divert emergency medical services after Ascension, one of the largest U.S. health systems, fell victim to a cybersecurity incident Wednesday night.

In the wake of the attack, Ascension tapped the cybersecurity firm Mandiant to assist in its investigation and “remediation efforts.” Multiple systems are still down, including MyChart and certain phone lines, a health system spokesperson told Newsweek on Thursday evening. There is no timeline for completion.

Meanwhile, Ascension—which encompasses 140 hospitals across 19 states—has paused some nonemergency services and is advising patients to bring written notes on symptoms and medications to their appointments.

Mandiant, a subsidiary of Google, declined to comment further on the active investigation. In the interim, Newsweek connected with two of the American Hospital Association’s preferred cybersecurity providers, Critical Insight and Aon, to learn what the usual “remediation efforts” entail.

Cyberattacks on Hospitals
Ascension hospitals were forced to divert emergency medical services after a cybersecurity incident this week.

Photo-illustration by Newsweek/Getty

“The immediate aftermath is pretty messy, because there are going to be competing interests here,” Michael Hamilton, chief information security officer (CISO) and founder of Critical Insight, told Newsweek.

The hospital’s insurance company will investigate “with Q-tips and toothpicks” to ensure proper prevention measures were in place, Hamilton said. Law enforcement agencies like the FBI might get involved. Oftentimes, a third party like Mandiant is called in to identify where systems were breached, and which information was stolen by whom.

Negotiating with bad actors is no easy feat, which can exacerbate delays, according to James Trainor, former lead of the FBI’s cyber division and current senior vice president of Aon’s cyber solutions group. Some ransomware groups that target hospitals are sanctioned by the Office of Foreign Assets Control, and it would be a violation of federal law to pay them. A third party like Aon can help conduct negotiations and accelerate a return to baseline.

While outside organizations unravel the web, the health system is focused on continuing care—and communicating with patients to lessen the blows of potential class action lawsuits.

The process is underscored by a thrumming urgency. Cybergangs deal their blows from behind a screen, but they can still be fatal in the health care industry. If a credit card company sends a letter saying, “‘Hey, your record has been disclosed. We’re going to monitor your credit for free,'” it goes “right into the trash,” Hamilton said. “But if my kid quits breathing, and I call 911 or a hospital and it doesn’t work, that’s the worst day I’m ever going to have in my life.”

This vulnerability is attractive to ransomware groups, who are concerned with their “return on investment,” Trainor said. Health systems are under significant financial pressures and struggle to invest in appropriate cybersecurity measures (although increasing telemedicine and digital health offerings “blew up their attack surface” with buggy software, per Hamilton). And since hospitals cannot afford to delay care, they are more likely to hand over hefty ransom payments.

Hospitals are the perfect targets for cyberattacks, and should view them as “foreseeable events,” according to Hamilton. He recommends that every organization invest in automated controls to constantly monitor their networks, and “jail” any device that shows signs of trouble.

“But there’s one other thing that needs to be done, and this is the easiest, and the hardest thing to do,” Hamilton said. “You have got to have a policy of ‘all personal use on a personal device.'”

That means no personal accounts—Gmail, Instagram, Facebook, Snapchat—should ever see the screen of a company device. When Hamilton was CISO of the city of Seattle, his team concluded that 40 percent of compromised assets were due to the use of personal email accounts on the organization’s private network. If implemented and enforced correctly, this policy could significantly reduce a health system’s vulnerability to cyber threats, Hamilton said.

Meanwhile, Trainor believes hospitals will require more financial support from the federal government to protect themselves against cyberattacks. Without the proper funding, he said, “I just don’t see the problem getting any better.”

“I do think it’s a national security public safety issue,” Trainor said. “So, when those things are at stake, I think it is appropriate for the federal government to provide resources and funding to support those industries.”

President Joe Biden’s budget proposal for fiscal year 2025 allocated $800 million to help “high need, low-resourced” hospitals implement federally mandated cybersecurity measures. It also set aside $500 million in incentive funding to encourage all hospitals to advance their cybersecurity practices.