Fraud Management & Cybercrime , Healthcare , Industry Specific

CommonSpirit IT Systems Still Offline One Month Post-Attack

Some Facilities Still Without Access to EHRs, E-Prescribing, Patient Portals
CommonSpirit IT Systems Still Offline One Month Post-Attack
MercyOne hospitals and clinics in Iowa are among CommonSpirit facilities still affected by a recent ransomware incident. (Photo: MercyOne)

Nearly one month after a ransomware attack on the nation's fourth-largest hospital network, CommonSpirit Health is struggling to bring back online various IT systems - including electronic medical records, prescriptions and patient appointment scheduling.

See Also: NHS Ransomware Attack: Healthcare Industry Infrastructures Are Critical

CommonSpirit has not publicly disclosed the names or total number of facilities that were affected by the Oct. 3 attack (see: CommonSpirit's Ransomware Incident Taking Toll on Patients).

Various parts of the medical care conglomerate have issued their own statements and periodic updates about the impact of the incident on their facilities. They include MercyOne, which operates a number of hospitals and other care centers in Iowa, and CHI Health, which operates hospitals and clinics in Iowa and Nebraska.

Chicago-based CommonSpirit is the result of several mergers and acquisitions involving other healthcare organizations, including the combination of Catholic Health Initiatives and Dignity Health in early 2019. CommonSpirit operates 142 hospitals and nearly 2,200 care sites across 21 states.

Slow Going

In its most recent statement addressing the situation, published Oct. 21, MercyOne says most hospital-based systems for its central Iowa facilities are back online, and so is its payroll platform.

CommonSpirit IT is still working to bring other systems back online for central Iowa clinic providers, including access to patient electronic health records and electronic prescription tools, MercyOne says. "It will take some time before we can restore full functionality, and we continue work to bring our systems up as quickly and safely as we can," MercyOne says.

Similarly, CHI Health in its most recent but undated statement says its parent company, CommonSpirit, is still managing "an IT issue" that is affecting some facilities.

"As a precautionary step, we have taken certain systems offline temporarily," CHI Health says. "As systems come back online, our providers will be able to access their patients' electronic health records."

CHI Health's patient portal is still temporarily suspended, and CHI providers are following offline processes to manage prescription medications for their patients, the statement says.

No Breach Determination Made - Yet

In an Oct. 17 update posted on its website - which a CommonSpirit spokesman on Friday told Information Security Media Group is the latest status for the incident - the parent organization says affected facilities are still following existing incident response protocols, which include taking offline certain systems such as EHRs and patient portals.

"We are working diligently every day to bring systems online and restore full functionality as quickly and safely as possible," CommonSpirit says.

CommonSpirit has yet to say whether patient information was compromised in the incident. The hospital chain says it notified law enforcement of the incident but has not disclosed the type of ransomware involved and whether a ransom was paid.

Patient Care

In a video released in recent days by MercyOne, several of its clinicians commented on effects of the incident.

While still able to care for patients, the IT outage has affected "communications" and access to electronic health records, they say. Another doctor asserts the incident has not affected patient care. Pharmacists, lab technicians, and doctors are providing care "the same way they did a month ago," that physician says.

At least one patient is known to have been affected by clinicians' inability to access certain IT systems during the CommonSpirit outage.

Earlier this month, MercyOne Des Moines Medical Center accidentally administered a toddler a dose of medication five times more than what was prescribed - and twice the amount that should have been prescribed based on the patient's age and size - due to staff being unable to use electronic prescription tools. The child's parent reports no long-term effects from the episode.

Recovery times in earlier ransomware attacks on some other healthcare entities also have been slow. A ransomware attack last year on San Diego, California-based Scripps Health affected IT systems for about a month.

Earlier this week, the Department of Health and Human Services issued guidance reminding healthcare entities of the importance of having documented and practiced incident response plans at the ready, especially as ransomware and other hacking incidents in the sector surge (see: Feds Urge Healthcare Entities to Train for Incident Response).

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.