The Ascension Health Ransomware Attack: A Solvonex Overview

There are a lot of scary or heart wrenching things to hear in a hospital or doctor’s office. If you have lived long enough, or if you had an unfortunate life circumstance with health issues, you have experienced this and know what it is like.

We want to say from the onset of this article that we are not here to “pile on” to the negative comments about the Ascension Health ransomware attack that occurred in May and went on for maybe weeks. Their goal as of the publishing of this article was to have record systems restored by June 14, 2024, so it is possible it may be over any time during or after the publishing of this article.

We still do not have all of the information of the facts verified, and the FBI is involved with the investigation, so it is possible some information will remain classified for a while. A lot of IT people and hospital administrators as well as as front line workers at the care facilities, nurses, and doctors were left in a horrible place. They have a hard enough job as it is anyway, so we hope they are OK.

No, we are not going to pile on negative comments here. We’ll let whatever information come out and see if we get public verification of what actually happened. The lawsuits are ramping up claiming the hospital did not encrypt its patient records.

Is that true about the patient data encryption? We don’t know yet, and “encrypting all data” is not that easy. In addition, even if it was encrypted in multiple places including in transit, the data at rest, and in some kind of database format, would that have mattered? We can get into the technical weeds here, but the hospital says that the employees had additional training for cybersecurity, and they have closed their security holes.

Let’s “What If” for a moment: What if a user(s)’ credential or series of credentials were taken allowing the bad guys to gain access with legitimate logins? Maybe systems were shut down and admin accounts locked out. Maybe it wasn’t “ransomware” in the traditional sense. Something tells us it was fairly complicated, because a simple data restore could have dealt with many aspects of ransomware if it was just that…we just do not know…yet.

And, go with us on this one, maybe the hospital did everything right? Perhaps all of their controls and training was adequate for the times and the stage to which they had envisioned they would be on if something bad happened. Maybe the landscape has changed? Perhaps the weakest link in any cyber security chain is the end user. We are very anxious to hear what may have happened so the experience can be used as lessons learned for others.

Having said that, we did compile some information to get us a summary and baseline for what happened and to create a basis for our reporting.

The Incident

In late May 2024, Ascension Health, one of the largest Catholic health systems in the United States, fell victim to a sophisticated ransomware attack. The cybercriminals infiltrated the network, encrypting sensitive data and demanding a hefty ransom in cryptocurrency to restore access. The attackers used advanced techniques to bypass security measures, indicating a well-coordinated and highly skilled operation.

Immediate Impact

The ransomware attack had immediate and far-reaching consequences:

1. Operational Disruption: The encryption of critical data caused significant disruption to healthcare services. Many non-urgent procedures were postponed, and some patients were diverted to other facilities. The attack hindered the ability of healthcare providers to access patient records, impeding their ability to deliver timely and effective care. Note: This impacted family members of our employees, so we saw some of the challenges with getting patients records first hand and have spoken to those patients to get their take. Needless to say, they were scared but are not angry.

2. Data Breach Concerns: Although the primary goal of ransomware is typically to extort money, the attack also raised concerns about potential data breaches. Sensitive patient information, including personal identification details, medical histories, and financial data, was at risk of being exposed or sold on the dark web.

3. Financial Impact: Beyond the ransom demand, Ascension Health faced substantial financial repercussions. These included costs associated with incident response, system restoration, legal fees, and potential fines for non-compliance with data protection regulations.

4. Reputation Damage: The attack tarnished Ascension Health's reputation, shaking the confidence of patients and stakeholders. Trust is paramount in the healthcare sector, and the breach of sensitive information can have long-lasting effects on the organization’s credibility.

Response and Recovery

Ascension Health's response to the attack was swift and multifaceted according to what we could find publicly revealed?

1. Incident Response Team: A dedicated incident response team was activated to contain the attack, assess the damage, and initiate recovery processes. This team worked around the clock to restore systems and services.

2. Collaboration with Authorities: Ascension Health cooperated with law enforcement agencies, including the FBI, to investigate the attack and track down the perpetrators. This collaboration was crucial in understanding the attack's scope and preventing further damage.

3. Communication Strategy: Transparent communication was maintained with patients, employees, and the public. Regular updates were provided to ensure stakeholders were informed about the situation and the steps being taken to resolve it.

4. Enhanced Cybersecurity Measures: In the wake of the attack, Ascension Health implemented enhanced cybersecurity measures. This included strengthening network defenses, deploying advanced threat detection systems, and conducting comprehensive security training for employees.

Lessons Learned

The Ascension Health ransomware attack serves as a stark reminder of the critical need for robust cybersecurity in the healthcare sector. Key takeaways from this incident include:

1. Proactive Cybersecurity: Organizations must adopt a proactive approach to cybersecurity, continually assessing and updating their defenses to stay ahead of evolving threats.

2. Employee Training: Regular and comprehensive cybersecurity training for employees is essential. Human error is often a significant factor in successful cyberattacks.

3. Incident Response Planning: Having a well-defined and tested incident response plan can significantly mitigate the impact of a cyberattack. Quick and coordinated action is crucial in minimizing damage.

4. Collaboration: Collaboration with cybersecurity experts and law enforcement agencies can enhance an organization’s ability to respond to and recover from an attack.

5. Data Backup and Recovery: Regular data backups and a robust recovery plan are vital. Ensuring that data can be restored quickly and accurately can reduce the leverage cybercriminals have in a ransomware attack.

Also, the ransomware attack on Ascension Health has incurred substantial costs, encompassing direct financial losses and broader operational impacts. While an exact figure for the total cost is not publicly disclosed, the expenses can be estimated based on several factors.

1. Ransom Payment and Recovery Costs: Although it is unclear whether Ascension paid the ransom, the costs associated with recovery efforts are significant. Hiring cybersecurity experts, such as Mandiant and Palo Alto Networks, to assist with system restoration and forensic analysis adds to the financial burden.

2. Operational Disruption: The attack disrupted operations across 142 hospitals, leading to delays in patient care, the postponement of elective procedures, and the diversion of emergency services. These disruptions likely resulted in lost revenue and increased operational costs as staff reverted to manual processes and emergency procedures​ (HIPAA Journal)​​ (HealthITSecurity)​.

3. Legal and Regulatory Costs: The attack has led to multiple class action lawsuits, alleging negligence and inadequate data protection measures. Legal fees, potential settlements, and fines for non-compliance with data protection regulations add to the financial impact​ (HIPAA Journal)​.

4. Reputation Damage and Customer Trust: The breach affected patient trust and could lead to long-term financial consequences, such as loss of patients and increased expenditure on public relations and reputation management.

5. Cybersecurity Enhancements: In response to the attack, Ascension has likely invested in bolstering its cybersecurity infrastructure to prevent future incidents. This includes upgrading systems, implementing advanced threat detection, and conducting comprehensive employee training.

The combined costs of these factors likely amount to tens of millions of dollars. While a precise figure remains elusive, the comprehensive financial impact highlights the severe consequences of ransomware attacks on healthcare institutions.

With all of the above being laid out, and again, we have gathered and compiled what we could, there is still more to come. It is possible that the information above is not 100% correct, but what is clear is that people were affected by this attack and hurt a hospital system’s ability to execute timely healthcare which could have resulted in major issues…even death.

As more comes to light on this attack, we will compile and report what we can as well as keep advising due diligence, employee training on cyber security matters, and encouraging the collaboration between business and IT departments to take risk seriously and tackle these problems proactively and work with law enforcement in a reactive manner as needed. Finally, it is obvious or better be that patient record availability and efficiency in healthcare is tied in tremendous ways to IT systems. People’s survival, to be blunt, sometimes depends on IT systems being up and available.

More to come on this one…