(480) 923-0802

Our Take: Ransomware attack continues to disrupt business at CommonSpirit

Oct 17, 2022

The “IT security issue” that CommonSpirit Health reported earlier this month turned out to be a ransomware attack that is still creating problems at an undisclosed number off the health system’s hospitals and other sites of care in multiple states.

With 140 hospitals across 21 states, CommonSpirit is the second-largest nonprofit health system in the U.S. Problems began to surface on or around Oct. 3 at various locations — including CHI Health facilities in Nebraska and Tennessee, Virginia Mason Franciscan Health in the Seattle area, MercyOne Des Moines Medical Center, St. Luke’s Health in Houston, and Trinity Health System in Michigan.

Initially, CommonSpirit acknowledged that it had “identified an IT security issue that is impacting some of our facilities” and said it was investigating the issue and following “existing protocols for system outages.” The protocols included taking certain systems offline, such as electronic health records and portals that patients use to access their medical records and communicate with their care team.

NBC News reported on Oct. 7 that the IT security issue was a ransomware attack, citing “a person familiar with [the health system’s] remediation efforts.”

On Oct. 12, CommonSpirit updated its statement to reflect that the security issue was indeed a cyberattack and that a forensics investigation was ongoing. It also noted  that it would “seek to determine if there are any data impacts.”

The updated statement did not provide much detail on the severity of the attack, nor did it offer an estimated time frame for resolving the situation.

“Systems serving Dignity Health and Virginia Mason Medical Center have had minimal impacts on operations by this incident. For the other parts of our health system that have seen impacts on operations, we are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible.”

CommonSpirit said in the updated statement that it had engaged cybersecurity specialists and notified law enforcement.

Our Take:  What CommonSpirit is going through is probably every health system’s worst nightmare, yet most are woefully unprepared for this sort of threat.

Various news outlets reporting on the ransomware attack at CommonSpirit said that patients at some facilities have had their appointments and surgeries canceled or rescheduled, lab results and imaging reports have been delayed, ambulances have been diverted, online appointment scheduling has been suspended, routine tasks and processes are taking longer because staff has to use paper charts, files, and forms, and even payroll reportedly has been affected at at least one hospital.

Cyberattacks like the one affecting CommonSpirit are on the rise. In a Wall Street Journal article, Brett Callow, an analyst at cybersecurity firm Emsisoft, said 18 hospital chains in the U.S. have experienced ransomware attacks so far this year.

Sophos, another cybersecurity firm, stated in a report that 34% of the 328 health care organizations it surveyed in 31 countries were hit by ransomware in 2021.

In a recent blog post published by Comparitech, Paul Bischoff wrote that 108 separate ransomware attacks in the U.S. last year affected 2,302 medical organizations, potentially impacting nearly 20 million patient records. The attacks cost the organizations an estimated $7.8 billion in downtime. Only a few of the ransom amounts were disclosed publicly; those available ranged from $250,000 to $5 million.

San Diego-based Scripps Health was one of the organizations attacked last year. Fierce Healthcare reported that operations at the health system were disrupted for several weeks after the May 1 attack, and the hackers stole patient information from an estimated 150,000 patients. The ransomware attack cost Scripps Health $112.7 million in lost revenue and expenses associated with the incident.

A September 2020 ransomware attack resulted in a network shutdown throughout Universal Health Services’ U.S. facilities and cost the health system $67 million, mostly in lost operating income.

There’s no guarantee that paying the ransom will lead to the return of all data. The Sophos report noted that the 25 health care organizations that paid the ransom to get their data back only received an average of 69% of their data.

Cybersecurity experts say most hospitals and health systems need to be spending more on IT security to prevent data breaches and ransomware attacks. Typically, only about 5-7% of hospital IT budgets is earmarked for cybersecurity. By comparison, other industries commonly spend 10-15% of their IT budget on cybersecurity.

In light of the financial toll the pandemic has taken on many of the country’s hospitals and health systems, it’s a tough call to increase spending in areas not directly associated with patient care. But, as cybersecurity experts are quick to point out, investing in better security can be far less costly than dealing with the fallout from an attack.

We don’t know what percentage of CommonSpirit’s IT budget has been spent on cybersecurity, but there’s a good chance it will be increasing.

What else you need to know
Fred Hutch Cancer Center is the new “brand” of the nonprofit organization created in April when Fred Hutchinson Cancer Research Center merged with Seattle Cancer Care Alliance and became UW Medicine’s cancer program. The organization has launched a rebranding campaign that includes a new logo. In separate news last week,  the family of Jeff Bezos — specifically, his mother, Jackie Bezos, and stepfather, Mike Bezos — committed to donating $710.5 million over the next 10 years to accelerate cancer and infectious disease research at Fred Hutch. The organization noted that the “landmark gift builds on previous Bezos family funding for research in immunotherapy treatments.”

The merged Beaumont-Spectrum health system has a new name: Corewell Health. Since February, when Beaumont Health and Spectrum Health combined, the resulting entity — Michigan’s largest health system — took the temporary name BHSH System. The new name and a new logo were announced on Tuesday, along with the new names of the health system’s 22 hospitals and three medical groups. Signage and “digital properties” reflecting the new names will be rolled out over a two-year period. Priority Health, which was Spectrum’s health plan before the systems combined, will retain its name.

Walgreens will pay approximately $392 million to acquire the remaining 45% stake in CareCentrix, a Hartford, Conn.-based company that provides care coordination for services such as home nursing, durable medical equipment, home infusion, and in-home palliative care, as well as outsourced benefit management services. Walgreens completed its 55% majority investment in CareCentrix on Aug. 31, paying $330 million for that acquisition. If certain closing conditions are met, Walgreens expects to close on the full acquisition by next March, after which CareCentrix will continue “as a distinct business and brand.” According to a press statement, John Driscoll, CareCentrix’s, will take on a new role later this month as executive vice president at Walgreens Boots Alliance and president of Walgreens’ U.S. Healthcare unit, which encompasses VillageMD, Shields Health Solutions, CareCentrix, and Walgreens Health. Steve Horowitz, currently CareCentrix’s chief financial officer, will become CareCentrix’s CEO.

Merck exercised an option in its license agreement with Moderna to jointly develop and commercialize an investigational personalized cancer vaccine, mRNA-4157/V940. Moderna is evaluating the vaccine in a Phase II trial in combination with Merck’s Keytruda (pembrolizumab) as an adjuvant treatment for patients with high-risk melanoma. Primary data from the trial is expected this quarter. The two companies have been collaborating on personalized cancer vaccines since 2016, according to a joint press release. Merck will pay Moderna $250 million to exercise the option, and the companies will equally share costs and potential profits.

Northwell Health broke ground on a new $450 million outpatient facility that will be anchored by cancer care programs led by the Northwell Health Cancer Institute. The new 200,000-square-foot Northwell Medical Pavilion will also offer neuroscience services and cardiac care, along with other medical specialties, the health system noted in a news release. Imaging, lab testing, holistic wellness services, acute and chronic disease management, and social work services will be available as well.

What we’re reading
Research Brief: Administrative Waste’s Role in Excess US Health Spending. Health Affairs Forefront, 10.6.22 
Association of the Home Health Value-Based Purchasing Model With Quality, Utilization, and Medicare Payments After the First 5 Years. JAMA Health Forum, 9.22.22
Physician Practice Consolidation: Considerations for the Remaining Independents. NEJM Catalyst, 9.21.22 (subscription required)

What else we’re reading
After reading the Prologue to Beth Lazurus’ Raising Lazarus: Hope, Justice, and the Future of America’s Overdose Crisis, I couldn’t bring myself to read such depressing stuff on the breathtaking shores of Poipu, Kauai. So on our first day of vacation we went to one of my favorite used book stores, Talk Story Bookstore in Hanapepe — the town where Lilo and Stitch are from (no, really) — and found two books: John Irving’s Last Night in Twisted River and The Blank Slate: The Modern Denial of Human Nature by Steven Pinker. I took a heroic bite out of Pinker, but soon realized my brain just wasn’t up to the task, and thankfully switched to the wonderfully bizarre world of John Irving for the rest of the trip.

I wasn’t the only one with misplaced ambition. Sitting next to us on the beach on our last day was a young couple on their honeymoon, and I noticed sitting on the blanket was an unopened copy of Nietzsche’s Thus Spoke Zarathustra. After a couple of unsuccessful attempts, the groom told me, it was time for some movies on his iPad.

Contact Darwin Research Group and we will get right back to you.