Ascension Undergoes Cyber Attack Amid Rising Cyber Threats in Tennessee Healthcare
In a recent wave of cybersecurity breaches affecting healthcare providers, Ascension, a prominent health company in Tennessee, has become the latest victim. The St. Louis-based parent company, which operates the Saint Thomas hospital system and numerous other facilities statewide, announced a ransomware attack roughly a week ago. This attack places Ascension among nearly two dozen healthcare companies in Tennessee that have experienced cyberattacks in recent years.
The Incident and Immediate Response
On May 8, Ascension detected unusual activity within its network, which was confirmed as a ransomware attack the following day. The company has been actively providing updates since the initial discovery and over the weekend released a statement affirming its collaboration with several law enforcement agencies currently investigating the breach.
While Ascension has refrained from commenting on the identity of the attackers, speculation abounds. Various organizations, including the American Hospital Association, have suggested involvement by Black Basta, a notorious Russian-speaking ransomware gang.
The Impact on Operations
Despite the attack, Ascension’s website assures patients that essential services like surgeries and appointments remain unaffected. However, some emergency rooms have adopted a “divert” status, directing ambulances to alternate hospitals. The most prolonged disruptions are expected in communication technologies, such as electronic health record systems, patient portals, and the systems used for ordering tests and medications. Nevertheless, imaging and testing services continue to operate, albeit with potential delays.
Broader Implications and Industry Response
The healthcare sector has seen a marked increase in cyberattacks, with incidents more than doubling in the past five years. Health data is particularly lucrative on the black market, fetching higher prices than even credit card or social security numbers. Consequently, healthcare providers are prime targets for cybercriminals.
Under U.S. regulations, healthcare companies must report breaches affecting more than 500 individuals to the Department of Health and Human Services (HHS) within 60 days. While the HHS complaint portal has not yet listed the Ascension attack, it has documented 23 other breaches in Tennessee over the past few years. Notably, these figures may include national companies based in Tennessee, skewing the numbers beyond just local impacts.
Financial and Legislative Reactions
In the wake of the attack, Fitch Ratings, a major credit rating agency, issued commentary on the incident. While Ascension’s credit rating remains unaffected, Fitch highlighted the increasing prevalence and severity of cyberattacks in the healthcare sector. The agency underscored the critical need for vigilance, as future attacks could potentially disrupt healthcare delivery more significantly.
This cybersecurity incident follows others in Tennessee, including breaches at insurance companies like Blue Cross Blue Shield of Tennessee and smaller hospitals such as the Murfreesboro Medical Clinic. Furthermore, a Tennessee-based company, Change Healthcare, experienced the largest health data hack in U.S. history earlier this year, affecting millions and disrupting operations nationwide.
Legislative Efforts
In response to the growing cyber threat, Tennessee lawmakers have considered legislative measures aimed at mitigating the impact of data breaches. This year, they debated a bill designed to make it more challenging to file class action lawsuits against healthcare companies following a breach. Current laws require companies to exercise “reasonable care” in preventing data leaks. However, Senate Bill 2018 and its counterpart, House Bill 2434, proposed raising the standard to prove willful or reckless negligence. Although the bill passed the House, it stalled in the Senate, reflecting ongoing debates on balancing corporate accountability with the evolving cybersecurity landscape.
Final Thoughts
The ransomware attack on Ascension underscores the escalating cybersecurity threats facing healthcare providers in Tennessee and beyond. As cybercriminals become more sophisticated, healthcare organizations must bolster their defenses to protect sensitive patient data and ensure uninterrupted service delivery. Ongoing legislative efforts and industry vigilance will be crucial in addressing these challenges and safeguarding the integrity of healthcare systems. For more informative blogs visit Auxin.io.