Ascension, the fifth largest health system in the US, is recovering from a May ransomware incident that forced staff to make handwritten treatment orders after losing access to critical Electronic Medical Records (EMR) software.
In news coverage of the crippling Ascension ransomware event, some staff called the situation “dangerous” for patients as hospitals were forced offline, meaning staff members had to resort to paper and handwritten treatment orders.
A Detroit Free Press article on the attack reported that “Medical orders for lab work, imaging tests and prescriptions still were being written on paper and faxed to various parts of the hospitals and to doctors’ offices.” Ascension operates 15 acute-care hospitals in Michigan alone.
The St. Louis-based nonprofit oversees 140 hospitals across 19 states and recently announced plans to restore electronic health records by June 14 following the May ransomware attack. The health system is working with Mandiant, a cybersecurity consulting company, to investigate the cyberattack.
From an Ascension spokesperson:
“Ascension continues to work expeditiously alongside industry-leading cybersecurity experts in our efforts to safely restore systems across our network. Please know our hospitals and facilities remain open and are providing patient care. Patients should continue to visit the regional updates portion of this webpage for the latest information on a state-by-state basis.
Ascension continues to make progress in our efforts to safely restore systems across our network. Restoring our Electronic Health Record (EHR) continues to be among one of the top priorities of our recovery process.
To date, we have successfully restored EHR access in our Florida, Alabama, Tennessee, Maryland, Central Texas (Ascension Seton and Dell Children’s hospitals), and Oklahoma markets. We are still working toward completing EHR restoration across our entire ministry by June 14.”
Officials with Ascension said they have notified law enforcement and other government bodies including the FBI, the Cybersecurity and Infrastructure Security Agency (CISA) and the Department of Health and Human Services, among others.
The May cybersecurity incident comes three years after Ascension fired hundreds of IT staff and outsourced the roles to India. It is also reminiscent of the large-scale attack earlier this year on Change Healthcare, a unit of UnitedHealth Group that manages that nation’s largest health care payment system. That attack was caused by a lack of multifactor authentication, in a U.S. Senate hearing appearance by UnitedHealth CEO Andrew Witty.
Hospitals are prioritizing cybersecurity more than ever. Last year alone the health care sector reported 249 ransomware attacks to the FBI , more than any other sector, with some cases affecting patient records. Since 2020, the healthcare industry has maintained the highest average data breach costs for 13 years in a row across all sectors — reaching $10.93 million per cybersecurity event.
