Healthcare professionals, lawyers and cybersecurity experts are raising concerns about an often-overlooked bureaucratic process that can impede hospitals and medical providers in their efforts to recover from ransomware attacks, Wired reported June 24.
This red tape involves sending detailed "assurance" or "attestation" letters to connected organizations, adding another layer of complexity to the recovery process. For example, when healthcare organizations fall victim to ransomware, they must send these assurance letters to companies they connect their systems or software with. These letters aim to reassure these organizations that it is safe to reconnect following the ransomware attack. However, crafting and dispatching these documents can add significant pressure to those already grappling with the physically and mentally taxing operations of recovery.
"Negotiating with hundreds of vendors each with their own unique set of requirements to reconnect was an arduous and time-consuming process," Sean Fitzpatrick, vice president of external communications at St. Louis-based Ascension told Wired.
Ascension, a network of 140 hospitals and thousands of affiliated providers across 19 states, was hit by ransomware attack in May. Mr. Fitzpatrick stated that more than 95% of the health system's suppliers have been reconnected or are in the process of reconnecting following the incident. He emphasized that Ascension has strived to maintain maximum transparency throughout its recovery process.
Experts note that while assurance letters are not legally mandated and are not exclusive to healthcare settings affected by ransomware, they stress the need for more streamlined procedures in critical situations involving patient safety. These letters, reviewed by Wired, are typically composed of more than 40 questions related to cyber incidents. They seek detailed accounts of the attack timeline, response measures implemented and any supporting evidence gathered during the event.
Shane Thielman, CIO of San Diego-based Scripps Health, which operates more than 70 hospitals and clinics, told Wired that following its May 2021 malware attack, it had to prepare 30 letters for its clinical, business and administrative software partners.
"Initially, there were several vendors that did not accept the assurance letter and requested additional technical documentation and information," Mr. Thielman said. "However, this was limited and ultimately did not result in a delay to restoring access to systems at Scripps."