Healthcare leaders are praising St. Louis-based Ascension for its communications response to a recent cyberattack, pointing to the health system's transparency and speed in divulging information.
The 140-hospital system took its IT network offline May 8 after discovering hackers had breached its systems. Ascension confirmed it had fallen victim to a ransomware attack three days later. The Catholic health system also launched a website with state-by-state updates on the outage.
"Ascension can serve as an example of providing rapid, full transparency and communications, especially working with the FBI and the federal government to help warn the nation," John Riggi, national adviser for cybersecurity and risk for the American Hospital Association, told Becker's.
After discovering the cyberattack, Ascension immediately contacted the FBI and Cybersecurity and Infrastructure Security Agency and informed its vendors to disconnect from its network, said Sean Fitzpatrick, vice president of external communications for the health system.
"We also have prioritized very straightforward and honest conversations with our associates, vendor partners, patients, and the communities we serve," Mr. Fitzpatrick said. "From day one, our focus has been continuity of patient care and providing timely and accurate information to our patients and communities as we continue to respond to the attack."
Healthcare consultant Rhoda Weiss, PhD, regularly meets with health system marketing and communications executives from around the country. She said several have noted to her in recent days how impressed they have been with Ascension's openness about the cyberattack.
"Everyone I talk to agrees this may be the most transparency any of us has seen in our careers," she said.
Ascension has been balancing getting information out quickly with making sure it is accurate, running updates through teams across communications, information security, legal and operations, Mr. Fitzpatrick said. "Transparency is important in these communications, but so is credibility," he added.
Other healthcare organizations have drawn criticism for their delay in relaying information about cyberattacks. For comparison, Chicago-based CommonSpirit Health took 10 days to confirm it was the victim of a ransomware attack in 2022, while Change Healthcare didn't disclose that ransomware was the reason for a recent IT outage for eight days.
Mr. Riggi, however, noted that in some cases law enforcement may advise organizations to stay tight-lipped about a cyberattack if it would hamper the ability to disrupt the hackers or retrieve data.
"It's important to acknowledge that there is no one-size-fits-all approach when it comes to responding to cybersecurity incidents," Mr. Fitzpatrick said. "Any cybersecurity incident can present its own unique challenges and response needs based on the operational impact of the ransomware attack. What's important in these plans is prioritizing open and honest communications and getting out necessary updates so that associates, vendor partners, patients, providers and our communities can plan accordingly. That’s what we are striving for and will continue to prioritize throughout our response to this incident."
Providing accurate, speedy information also ensures local hospital staffers have the latest updates on operational status and backup procedures, while sharing facts with the public and other organizations can bolster the industry's cybersecurity defenses overall, he added.
"Ascension is a shining example, quite frankly, in that area of cooperation and transparency," Mr. Riggi said. "We hope, first of all, there are not other ransomware attacks. But unfortunately we do not see these attacks ceasing anytime soon. And we would hope that they would serve as a role model for other victim organizations."