CommonSpirit Health has just given news updates about the development of its recovery effort in response to the October 2022 ransomware attack that impacted numerous services throughout its network. The health system discovered the attack on October 3, which required taking offline its IT systems, which include its MyChart electronic health records (EHRs). The attack affected CommonSpirit Health, St. Luke’s Health, MercyOne, and Catholic Health Initiatives (CHI Health) facilities. Since the attack, the facilities are running under emergency procedures. CommonSpirit Health had earlier reported that the incident did not affect patient care and related systems at TriHealth, Dignity Health, and Centura Health.
It’s already over one month since the attack occurred and business operations are not yet back to normal. Nevertheless, CommonSpirit Health has lately affirmed that most of the affected locations currently got access to their EHR systems once more and patients being served by those facilities can now access patient websites to see their health information. Consultation booking systems remain impacted, thus patients are encouraged to get in touch with their healthcare provider’s clinic directly to make appointments.
The health system started a forensic investigation into the incident; nonetheless, the main concern is patient safety and getting the impacted systems working online again immediately and securely. The forensic investigation is seeking to confirm the methods employed by the threat actors to acquire preliminary access to its system enabling them to perform security updates and to find out the magnitude of breached patient data if any. CommonSpirit Health will give additional updates when the result of the investigation is available. The incident is already reported to the authorities and third-party cybersecurity experts are helping to fast-track the recovery.
Although a number of healthcare companies are able to get over ransomware attacks fairly easily in 1 or 2 weeks after an attack, disruptions for a longer time are typical. The average recovery period is 22 days. There are a number of factors that could impact the recovery period, such as the scope of the attack, the sophistication of the IT setting, and if there was an incident response plan set up. The value of preparing for security incidents and creating a practiced incident response plan was lately highlighted in the October 2022 Cybersecurity Newsletter by the HHS’ Office for Civil Rights.