Patients at hospitals in one of the largest healthcare systems in the United States are facing delays in care due to a cyberattack. The disruption is stretching into its second week.
CommonSpirit Health, which operates more than 700 healthcare sites in over 20 states, said in a statement on October 4th that it was “managing an IT security issue” and that it needed to take some systems offline — including electronic medical records. The issue was caused by a ransomware attack, a source told NBC News.
Doctors rely on IT systems and electronic medical records to see patient scans, check medication, and remember details about their specific treatment plan. Without them, they’re left taking notes on paper and ferrying notes through a hospital by hand. Research is starting to show that hospitals under strain from cyberattacks like the one at CommonSpirit Health have higher death rates than places not suffering attacks.
Patients at CommonSpirit Health hospitals are already having care affected. One woman in Texas told NBC News that her husband’s doctor recommended delaying surgery until systems were back online. St. Michael Medical Center said it couldn’t do a CT scan on a patient with a brain bleed, the patient’s wife told the Kitsap Sun.
CommonSpirit Health isn’t releasing details about which of its hospitals were impacted by the attack, but locations in Nebraska, Iowa, Washington, Texas, and Tennessee have said they were affected. If all the facilities are facing issues, it’d be “the most significant attack on the healthcare sector to date,” Brett Callow, a threat analyst with cybersecurity provider Emsisoft, told The Associated Press.
It’s not unusual for hospitals facing ransomware attacks to stay tight-lipped about attacks — they risk their reputation, Sung Choi, assistant professor at the University of Central Florida department of health management and informatics, told The Verge last year. The healthcare sector has been reluctant to acknowledge the relationship between cyberattacks and patient health. It’s only in the last year or so that these conversations bubbled to the surface. But as cyberattacks on hospitals and healthcare organizations become more and more frequent, the issue becomes impossible to ignore.