Paubox News | HIPAA Compliance, Email Security and Healthcare Tech

Ascension cyberattack caused by employee downloading malicious file

Written by Tshedimoso Makhene | June 16, 2024

An Ascension Health worker mistakenly downloaded a harmful file, thinking it was legitimate, resulting in a cybersecurity breach.

 

What happened?

Ascension, a prominent healthcare network in the United States, disclosed that its May 2024 ransomware attack was caused by an employee who had downloaded a corrupt file onto one of the organization's devices. The attack affected critical systems, including the MyChart electronic health records, phones, and systems for ordering medical tests and medications, forcing Ascension to take some devices offline on May 8. As a result, employees had to track procedures and medications manually, non-emergent procedures were paused, and emergency services were redirected to avoid delays.

 

The backstory

In May 2024, Ascension Health detected a cyberattack that potentially affected 13.4 million individuals. The attack disrupted operations and patient care. Upon noticing unusual network activity, Ascension Health initiated an investigation and enlisted the help of Mandiant, a third-party cybersecurity expert.  Despite the disruption to clinical operations, efforts were being made to assess the full impact and duration of the incident.

Go deeper: Ascension Health falls victim to cyberattack, impacting 13.4 million

 

What was said?

Ascension Health believes that the attack was anhonest mistakeas the employee thought they were downloading a legitimate file.

According to Bleeping Computer, an Ascension Health representative confirmed that some file servers in regular use by colleagues were accessed by the hackers who successfully extracted data. These particular servers account for seven of the 25,000 servers present on their network. The spokesperson noted ongoing investigations and revealed concern over specific files containing protected health information (PHI) and personally identifiable information (PII), although diverse individuals' particulars may vary. However, there is no evidence proving that electronic health records (EHR) or other clinical systems holding complete patient records were compromised during this event, as per Ascension's statement.

 

By the numbers

  • Since April 2022, Black Basta has attacked numerous high-profile organizations, including:
    • Rheinmetall
    • Capita
    • ABB
    • Toronto Public Library
  • Joint research by Elliptic and Corvus Insurance reported that by November 2023, Black Basta had extorted over $100 million from more than 90 victims.
  • Ascension Health is one of the largest nonprofit health networks in the U.S.
    • Operates 140 hospitals and 40 senior care facilities
    • Reported total revenue of $28.3 billion in 2023
    • Employs 8,500 providers
    • Has 35,000 affiliated providers and 134,000 associates across 19 states and the District of Columbia.

 

In the know 

The ransomware attack on Ascension Health, though not officially linked to any specific group by the company, has been attributed to the Black Basta gang by CNN. A ransomware attack is a type of cyberattack where malicious software, or ransomware, infiltrates a victim's computer system, encrypts their data, and demands a ransom payment to restore access. These attacks often occur when an individual downloads a malicious file or clicks on a phishing link, installing the ransomware. Once inside the system, the ransomware can spread across networks, locking users out of essential files and systems. Prevention strategies include regular data backups, robust cybersecurity training for employees to recognize phishing attempts, maintaining up-to-date antivirus software, implementing strong access controls, and ensuring all software is regularly patched and updated to fix vulnerabilities. Organizations can significantly reduce the risk and impact of ransomware attacks by adopting these measures.

Following the attack, Health-ISAC (Information Sharing and Analysis Center),  issued a warning about Black Basta's increased targeting of the healthcare sector. 

Since its emergence in April 2022, Black Basta has attacked numerous high-profile organizations, including Rheinmetall, Capita, ABB, and the Toronto Public Library. Joint research by Elliptic and Corvus Insurance reported that by November 2023, the gang had extorted over $100 million from more than 90 victims.

See also: HIPAA Compliant Email: The Definitive Guide

 

Why it matters 

Ascension Health is one of the largest healthcare networks in the US, operating 140 hospitals and 40 senior care facilities across 19 states and the District of Columbia. The hack possibly affected 13.4 million customers, which shows the healthcare network's vast reach and significant impact. The potential compromise of personal and health information by such a large number of individuals highlights the need for robust cybersecurity measures in the healthcare industry. 

Employee training may have prevented the ransomware attack by equipping the staff with the knowledge to recognize and avoid phishing attempts and suspicious downloads. If the employee who mistakenly downloaded the malicious file had been trained to identify red flags, such as unexpected file requests or unfamiliar email senders, they would likely have refrained from opening the file. Regular training sessions can reinforce the importance of cybersecurity best practices, reduce human error, and create a vigilant workforce that acts as the first line of defense against cyber threats.

The investigation into the ransomware attack on Ascension Health is crucial for several reasons:

  • Scope and impact assessment: Ascension Health needs to determine the full extent of the attack, including how many individuals' data were compromised and the specific nature of the information accessed. This is vital for informing affected individuals and mitigating potential harm.
  • System restoration: Understanding the attack helps Ascension Health restore its electronic health records systems, patient portals, phone systems, and other critical medical ordering systems, ensuring that operations return to normal and patient care is not compromised.
  • Security improvements: Identifying the methods used by the attackers allows Ascension Health to strengthen its cybersecurity measures, preventing future incidents. This includes fixing vulnerabilities and enhancing employee training to avoid similar mistakes.
  • Regulatory Compliance: As a healthcare provider, Ascension Health is subject to strict regulations regarding data security and patient privacy. The investigation ensures compliance with legal obligations and helps avoid potential penalties.

FAQs

What are malicious files?

Malicious files are files intentionally designed to harm, exploit, or otherwise compromise computer systems and networks. These files can take various forms, including executable files, scripts, documents, and media files, and may contain malware such as viruses, trojans, worms, ransomware, spyware, or adware. When opened or executed, malicious files can perform unauthorized actions such as stealing data, encrypting files, creating backdoors for remote access, or disrupting normal operations. They often spread through email attachments, malicious links, compromised downloads, or exploits of software vulnerabilities. Recognizing and avoiding malicious files is crucial for maintaining cybersecurity.

 

What is the difference between PHI and PII?

Protected health information (PHI) refers to any health-related information that can identify an individual, such as medical records, treatment histories, and insurance information, and is protected under laws like HIPAA. Personally identifiable information (PII), on the other hand, encompasses any data that can identify an individual, such as names, social security numbers, and addresses, and is protected under various privacy laws and regulations.

Go deeper: What is the difference between PII and PHI?

 

How can I prevent a ransomware attack?

To prevent ransomware attacks, organizations can implement: 

  • Regular backup of data, 
  • Update software, 
  • Educate employees on phishing, 
  • Use reliable antivirus and anti-malware software, 
  • Strong access controls, 
  • Use email filtering, and network segmentation.