Hackers were able to launch a ransomware attack on St. Louis-based Ascension, disrupting its IT systems and operations for 140 hospitals, because an employee did something thousands of people do every single day.
"An individual working in one of our facilities accidentally downloaded a malicious file that they thought was legitimate," stated Ascension in a June 12 statement posted to the health system's website. "We have no reason to believe this was anything but an honest mistake."
The ransomware attack occurred on May 8, forcing hospitals and clinics off the EHR system. Care teams reverted to paper records as the health system worked with cybersecurity experts to restore IT functionality. EHR access has been restored in many markets.
Ascension also discovered the hackers removed files from seven of the system's 25,000 servers across its network, possibly exposing patient data.
The health system hasn't revealed how long it took from the time the malicious file was downloaded to when the hackers attacked.
Health system CIOs and chief information security officers are on high alert after the attack against Ascension and Change Healthcare earlier this year, which disrupted operations for hundreds of hospital and physician clinic clients nationwide. Many are examining their cybersecurity efforts and making extra investments to prevent attacks as much as possible.
"What still makes me nervous is the sophistication of attacks and the sheer number [of attacks] that seem to be popping up," said Steven Ramirez, chief information security and technology officer for Renown Health in Reno, Nev., on an episode of the "Becker's Healthcare Podcast." "That's really what keeps me up at night because we can be doing everything correctly [and still get hit]. We've been emphasizing a lot of security hygiene that we should be doing from the security control processes and access management, and then that can all crumble by the wayside by either a vendor or social engineering."
Hackers are using social engineering techniques to convince people their malicious links are legitamate.
"We're seeing extremely sophisticated attacks. We're seeing the service desk start to be more of a target to go after various types of access," said Mr. Ramirez. "A lot of emphasis that we had originally put on just access management continues to expand and become more Swiss cheese on additional holes and ways [hackers] can get in. That's something we need to continue to get creative in training and awareness around."
Mr. Ramirez said he expects it to become increasingly difficult for security tools to identify phishing emails and malicious activity on the system.
"That's where we're going to have to evolve to how we can have AI on the good side to start to combat components of that moving forward," he said.