The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

CommonSpirit Health Says EHRs Mostly Back Online Following Ransomware Attack

Posted By on Nov 11, 2022

CommonSpirit Health has recently provided an update on the progress that has been made in recovering from an October 2022 ransomware attack that affected many facilities across its network. The attack was detected on October 3, which forced the health system to take its IT systems offline, including its MyChart electronic health records (EHRs). CommonSpirit Health, Catholic Health Initiatives (CHI Health), MercyOne, and St. Luke’s Health facilities were affected and have been operating under emergency procedures since the attack. CommonSpirit Health had previously stated that there was no impact on patient care and associated systems at Dignity Health, TriHealth, and Centura Health.

It has now been more than a month since the attack and business operations have yet to return to normal; however, CommonSpirit Health has recently confirmed that the majority of impacted locations now have access to their EHR systems again and patients of those facilities should now be able to access patient portals to view their medical records. Appointment scheduling systems are still affected, so patients have been advised to contact their provider’s office directly to arrange appointments.

A forensic investigation into the attack was launched; however, the priority has been patient safety and bringing affected systems back online as quickly and safely as possible. The forensic investigation is trying to establish the methods used by the attackers to gain initial access to its network to allow security updates to be performed, and to determine the extent, if any, that patient data has been compromised. CommonSpirit Health will provide further updates pending the outcome of the investigation. The incident has been reported to law enforcement and third-party cybersecurity consultants have been engaged to assist with the recovery.

While some healthcare organizations have been able to recover from ransomware attacks relatively quickly within 1 or 2 weeks following an attack, longer disruptions are common, with the average recovery time being 22 days. There are several factors that can affect the recovery time, including the extent of the attack, the complexity of the IT environment, and whether a practiced incident response plan was in place. The importance of planning for security incidents and having a practiced incident response plan was recently emphasized by the HHS’ Office for Civil Rights in its October 2022 Cybersecurity Newsletter.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist