As CommonSpirit Situation Continues Forward, Cyber Expert Calls the Incident an ‘Unfortunate Disaster’

Oct. 17, 2022
Healthcare Innovation spoke with cyber expert Chad Wilson about the recent CommonSpirit Health IT security issue—Wilson says that an organization of this size touches many patients and families, putting patient safety at risk

Chicago-based CommonSpirit Health, which has 140 hospitals across 21 states and more than 1,000 facilities, has been experiencing an “IT security issue," as mainstream media outlets have been reporting. Journalists began reporting the incident on Monday, Oct. 3, and updated information categorizes the incident as a ransomware attack. CommonSpirit is the second-largest nonprofit health system in the U.S.

According to an Oct. 6 article by Jessica Lyons Hardcastle from The Register, CommonSpirit had a short statement on its website saying it took some systems offline, including “electronic health record (EHR) and other systems.” As of Oct. 13, the statement was updated saying that “We have been managing a response to a cyberattack that has impacted some of our facilities. Patients continue to receive the highest quality of care, and we are providing relevant updates on the ongoing situation to our patients, employees, and caregivers. Patient care remains our utmost priority and we apologize for any inconvenience this matter has created.”

Further, “As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation, and ensure continuity of care. Our facilities are following existing protocols, which includes taking certain systems offline, such as electronic health records and patient portals. In addition, we are taking steps to mitigate the disruption and maintain continuity of care. To further assist and support our team in the investigation and response process, we engaged leading cybersecurity specialists and notified law enforcement.”

The statement adds that CommonSpirit is continuing to conduct a forensics investigation and review of their systems and will ultimately determine if there were any data impacts as part of that process.

“There is no impact to clinic, patient care and associated systems at Dignity Health, Virginia Mason Medical Center, TriHealth or Centura Health facilities,” the statement notes. “For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible.”

In an Oct. 13 article by Debbie Cockrell for The News Tribune, Cockrell reports that “Operations at a VMFH hospital in Kitsap County have become especially difficult, with staff citing the ongoing IT issue, high patient demand and not enough staff. The Kitsap Sun reported that Saturday night [Oct. 8] the charge nurse in the emergency room at St. Michael Medical Center in Silverdale resorted to calling 911 for help in handling its backup of patients.”

An Oct. 13 article by Elisha Meyer for Bainbridge Island Review elaborated on the effect of the ransomware attack at St. Michael. Meyer reports that "St. Michael started experiencing problems Oct. 3 when it could not access the medical history of patients on its computer systems. It also caused issues with viewing x-ray and MRI results, among other complications. MyChart was also not available to patients who wanted to look at their own medical records."

Moreover, "The outage has led to mass cancellations of appointments and delays in critical medical procedures in Kitsap County. Without access to computer records, St. Anthony and other hospitals began using physical paper records and prescription bottles in an attempt to continue service to customers."

"St. Michael’s outage, combined with staffing shortages, led to members of Central Kitsap Fire & Rescue being sent to assist with work in the emergency room Oct. 8," Meyer comments. 

Healthcare Innovation spoke with cybersecurity expert and former Stanford Children's Health CISO Chad Wilson, to get his perspective on the incident. Wilson says his initial thought is that “It’s a disaster. And an unfortunate one. As a CISO, this is something you don’t want to see happen”

Wilson adds that “A larger organization [like CommonSpirit] has more patients and families to take care of vs. a smaller organization.” He says that an incident like this at a larger organization also impacts more staff (than a smaller organization) that now have to do their jobs without the tools are resources they are accustomed to.

Yet, regardless of size, Wilson says that “It's not easy for anyone to recover from ransomware that hit its system. A lot of systems have to be validated back into service. I think the small organizations are exposed, quite honestly, some the difference [between large and small organizations] is not being as far along in security. And it's a challenge for smaller organizations to meet the same security standards as larger ones.”

“In this country, we don’t incentivize securing medical records,” he comments. “Everyone is not adhering to the same standard in the country and that's a legal challenge. We might hear about an incident at one large health care organization today. And tomorrow, it might be a smaller one that you don't hear about, but these incidents still have tremendous impact.”

In conclusion, Wilson says that a top challenge during an incident like this is the flow of information internally. “This is the information age,” Wilson notes. “Everyone wants updates every hour, and these things take time during an incident.”

Sponsored Recommendations

The Healthcare Provider's Guide to Accelerating Clinician Onboarding

Improve clinician satisfaction and productivity to enhance patient care

ASK THE EXPERT: ServiceNow’s Erin Smithouser on what C-suite healthcare executives need to know about artificial intelligence

Generative artificial intelligence, also known as GenAI, learns from vast amounts of existing data and large language models to help healthcare organizations improve hospital ...

TEST: Ask the Expert: Is Your Patients' Understanding Putting You at Risk?

Effective health literacy in healthcare is essential for ensuring informed consent, reducing medical malpractice risks, and enhancing patient-provider communication. Unfortunately...

From Strategy to Action: The Power of Enterprise Value-Based Care

Ever wonder why your meticulously planned value-based care model hasn't moved beyond the concept stage? You're not alone! Transition from theory to practice with enterprise value...