Ascension, FBI investigating 'ransomware' attack that disrupted hospital systems

Beth Reese Cravey, Jacksonville Florida Times-Union
·6 min read
Ascension St. Vincent's Riverside in Jacksonville.
Ascension St. Vincent's Riverside in Jacksonville.

The investigation into a cyberattack on Ascension Health Care continues this week with the help of the FBI and other agencies as the company restores services that were disrupted at its 140 hospitals nationwide, including three in the Jacksonville area.

In its latest statement, the company called the attack, detected May 8, a "ransomware incident" but did not say if a ransom demand was made or paid. Ascension said earlier that it has not determined if "sensitive information" was affected.

Ascension said it is "working closely with industry-leading cybersecurity experts to assist in our investigation and restoration and recovery efforts" and has notified law enforcement, the FBI, the Cybersecurity and Infrastructure Security Agency, the Department of Health and Human Services and the American Hospital Association.

The FBI recommends against paying a ransomware demand, which the agency said "doesn’t guarantee you or your organization will get any data back. It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity."

Ascension is also "sharing relevant threat intelligence" with the Health Information Sharing and Analysis Center to help other hospitals and health care companies "take steps to protect themselves from similar incidents," according to the statement.

CNN reported that the Ascension attack stemmed from "cybercriminals [who] typically try to lock computers and steal data for extortion," quoting four sources who the network said had been "briefed on the investigation."

"Those sources said that the type of ransomware used in the hack is known as Black Basta, which hackers have used repeatedly to attack health care organizations in recent years," CNN reported.

Some Ascension Jacksonville hospital systems disrupted

After last week's attack, some Ascension hospitals had no access to electronic health records, some phone systems and various other systems that order certain tests, procedures and medications or MyChart, which allows patients to view their medical records and communicate with providers. Some hospitals were delaying elective medical procedures and diverting emergency patients to other hospitals.

An Ascension Florida spokesman said Saturday that operating and emergency rooms at the company's hospitals in Jacksonville — Ascension St. Vincent's ClayAscension St. Vincent's Riverside and Ascension St. Vincent's Southside — and statewide were "continuing to provide care" and had been since the cyberattack was detected Wednesday. No emergency services cases were diverted to other hospitals, he said.

But users of some systems at Ascension's Jacksonville and Florida hospitals, such as electronic records and MyChart, "may experience delays in some areas," he said.

"While our restoration work continues in earnest, our focus is on restoring systems as safely as possible," according to the company's latest statement. "While we expect this process will take time to complete, we are making progress and systems are being restored in a coordinated manner at each of our care sites. We will continue to share updates on our recovery process."

Ascension has not said how the attack occurred or if the company needs additional cyber security measures to prevent future incidents.

What are other Northeast Florida hospitals doing about cyber threats?

The largest hospital system in the Jacksonville area is Baptist Health, with five full-service hospitals, a children's hospital, a heart hospital and a cancer center. In response to Times-Union inquiries, the company said its preventive measures against cyberattacks include "rigorous infrastructure evaluations to protect against vulnerabilities."

Other measures include "following best practices and procedures" identified by the Cybersecurity and Infrastructure Security Agency, Health Information Sharing and Analysis Center and the National Institute of Standards and Technology, among other cybersecurity experts, according to the statement. Also, the company has the latest security technologies and monitors "potential vulnerabilities."

With the help of government agencies, Baptist conducts "tabletop exercises … to practice and strengthen our response procedure" and practices "downtime protocols" on how to maintain operations if a cyberattack is detected, according to the statement. Also, the company provides staff with cyber training and other appropriate education.

"We empathize with Ascension," the Baptist statement said. "As part of the health care community in Northeast Florida, we stand ready to support their local hospitals however they may need during this time."

Health care is a frequent cyber crime target

Jack Danahy is vice president of strategy innovation at NuHarbor Security, a Vermont-based cybersecurity firm following the Ascension attack. In response to Times-Union inquiries, he said "health care in general" is the most frequent target of ransomware attacks, citing the FBI Internet Crime Report.

"Health care providers are … a gold mine for cybercriminals as they are packed with sensitive data and provide essential, life-saving services," he said. "When attackers hit them with ransomware, they will be able to steal valuable information for resale and there is a higher likelihood that the hospital will pay the ransom to keep operations running and ensure patient safety. It's all about the money and the willingness of targets to pay."

Successful attacks can be devastating and dangerous, he said.

"Critical care data, like patient histories, prescription interactions and sharing of day-to-day patient progress, are all removed from the hands of providers," Danahy said. "Doctors and nurses are left in the dark or are forced to find, create and share written versions of these sources. Some treatments get delayed and some services that require computer management are eliminated."

Disruptions to hospital systems have a "domino effect" on all patient interactions, treatment, prescriptions and transactions, Danahy said.

Although no "fool-proof" preventive measure exists, hospitals can best protect themselves by preparing for such attacks through staff training, vigilant monitoring, preventing one system from infecting another, installing "well-vetted security technologies" and updating software, among other things, he said.

"Hospitals need to become resistant to attacks spreading virally and they need to become more resilient," he said. "It's about creating multiple layers of defense to slow down or stop these criminals before they cause too much damage."

National health care companies must be especially vigilant.

"There is a new responsibility for large organizations that manage multiple care providers across multiple regions to ensure that these providers are not sharing a single infrastructure without significant security checks and balances," Danahy said.

Patients can protect themselves by verifying the legitimacy of "any communication" seeking personal information and using "strong, unique" passwords, he said.

"It’s important to be a little skeptical, especially if something seems off," he said. "Basically, it’s about being cautious and questioning things a bit more. … If a contact or a request feels weird, it probably is."

bcravey@jacksonville.com, (904) 359-4109

This article originally appeared on Florida Times-Union: 'Ransomware' at Ascension hospitals, including Jacksonville, probed