Despite EHR outages, canceled appointments and delayed surgeries at its hospitals across the nation, Chicago-based CommonSpirit Health has been slow to release details on the massive IT security incident.
CommonSpirit, which has 140 hospitals across 21 states, hasn't said anything past an Oct. 5 statement that it has "identified an IT security issue that is impacting some of our facilities" and is "continuing to investigate this issue and follow existing protocols for system outages." Meanwhile, an unnamed source told NBC News in an Oct. 7 story that the incident is due to ransomware. As Becker's reported, the event occurred after the exodus of several senior tech leaders in the months prior.
"I think CommonSpirit is hurting their brand more than they realize," Michael Kearns, chief information security officer of Omaha-based Nebraska Methodist Health System, said in an email to Becker's. "They have been so silent on this incident the public is running out of patience. My experience is the public is understanding of a ransomware event, but to 'ghost the public' for this long might be legally smart but is terrible for their brand."
Becker's contacted CISOs for insights as to why health systems may be slow to release information amid IT disruptions or cyberattacks.
Mr. Kearns said that once an event is declared and the cybersecurity insurance carrier is brought in, outside legal counsel almost always directs communication going forward. Legal implications begin as soon as an organization officially declares an event, he said.
An anonymous purported employee of CommonSpirit wrote on Reddit that staffers have been learning more about the incident from the media than health system leadership. CommonSpirit, the nation's second-largest nonprofit health system, didn't respond to requests for comment for this story.
Joe Voje, CISO of Mountain View, Calif.-based El Camino Health, said health systems may be slow to publicize details because they don't yet fully understand either how the hack happened or the scope of the data breached.
"Many cybersecurity and IT teams are understaffed, and the additional duties associated with an investigation push them past what they can accomplish in a given time frame," he said. "Also, if they are struggling to remediate the vulnerabilities that were used to compromise them, then they certainly don't want to send up a signal flare that says, 'Come and get us.'"
Public disclosure beyond what's required from the state and federal government could also be used against the organizations in any future lawsuits, he said.
Typically, institutions that have experienced a hack follow a framework, such as one from the National Institute of Standards and Technology that advises to "identify, protect, detect, respond and recover," said Michael Chirico, CISO of New Brunswick, N.J.-based Saint Peter's Healthcare System.
"Before disclosing any details, an organization must determine what benefit there is in disclosing information to the public, what level of detail they can disclose (with certainty) and, perhaps first and foremost, has the malicious activity and/or actor been contained (aka, is it over)?" he said.
Feisal Nanji, executive director of cybersecurity firm Techumen, said organizations delay releasing details publicly because they're "scared or unprepared."
"Most healthcare institutions have poor incident-reporting plans," he said. "Rarely do they perform tabletop exercises that involve senior leadership. This paralyzes decision making, since the CIO has to explain the issue to the CEO, legal counsel, HR, public relations, outside counsel — and they've never practiced this before."