2 Minute Drill: Navigating Cybersecurity Crises in Healthcare: The Ascension Outage Breakdown
Episode 2711th May 2024 • This Week Health: Newsroom • This Week Health
00:00:00 00:06:33

Transcripts

  Hey everyone, I'm Drex, and this is the Two Minute Drill, brought to you exclusively by ORDR, the Connected Asset Visibility and Security Company. See every technical asset, protect against threats, and address compliance requirements with ease. ORDR is a great way to find and eliminate blind spots. Find out more at thisweekhealth.

com slash ORDR. That's O R D R. ThisWeekHealth. com slash order on the two minute drill. We do at least three stories at least two times a week. All part of one great community. The 229 cyber and risk community here at This Week Health. And before I start, it's really easy to be a part of this community.

Take a look at ThisWeekHealth. com slash security and click on the join the community button. If you do that, I'll keep you posted on all the cool stuff happening not only in the cyber and RISC community, but in all the 229 communities at large. Thanks for joining me today. Here's some stuff you might want to know about.

The big news that's been breaking and updating over the past couple of days, and I'm going to count this one event as three stories because there's a lot being written about it. The big news is the cybersecurity outage at Ascension, one of the largest healthcare systems in the country. Here's what we think we know so far.

Sometime Wednesday morning, Ascension picked up on some unusual activity on their network, which turned out to be a cyber event. They've engaged Mandiant for incident response, and in an odd coincidence, I actually talked about a new cybersecurity report from Mandiant on Tuesday's Two Minute Drill.

Ascension's EHR patient portal and some phone systems are offline. So are some systems used to order lab tests and medications. The emergency departments for several hospitals are also currently on diversion. Physicians are reporting having to write everything on paper and physically go down to radiology if they want to see a patient's x rays.

billion in:

For Ascension's part, they've assured everyone that their teams have trained for these kind of downtimes, and they'll keep communities updated on their efforts to clean up and fix up and restore systems. Their latest comments are updated regularly on the Ascension website. But this makes me think of another really important point, and if you're in the middle of or starting a hospital acquisition, or you're even considering a hospital acquisition, here's what the Ascension Cyber Event looks like.

has highlighted for me. In many cases, especially if you're acquiring a hospital from another multi hospital system, you'll wind up signing an agreement that says, in effect, the divesting hospital will continue to provide information services, including things like EHR and network and phone services, to the acquiring hospital.

That agreement usually extends for some period of time until the acquiring organization can get everything converted over to their own systems. Now this turns out to be a no kidding danger zone for a lot of reasons, not the least of which is what happens if the divesting organization, someone like Ascension, has a cyber incident and takes everything offline while you're in this transition period, meaning the hospital you've acquired also goes down because of the event.

And I'm not just making up a theoretical here, I actually know a place where this exact thing is happening right now. And through absolutely no fault of their own, the acquiring organization is now neck deep in a cyber incident that they have little or no control over. Which begs the question, and maybe they're the same kinds of questions you want to make sure you now have addressed in any future M& A deal that would have, you know, This kind of an extended services agreement.

What kind of transparency do they have to provide in the event of a cyber attack? And what kind of actions are you expecting them to take on your behalf? Because remember the acquiring organization now owns the hospital, and the divesting organization is essentially acting as a third party services provider.

A lot like Dare I say it, because I know you don't want me to say it, but I gotta say it, a lot like change healthcare. In essence, if you want to look at it this way, and in the case of acquiring organizations who've not fully transitioned from Ascension to their own internal systems, I think it's perfectly appropriate.

In this case, This is a third party provider who's had a breach and it's massively affected their ability to deliver health care. So on your things to think about now, if you're headed toward an acquisition, make sure you're thinking about this issue. There's more M& A going on than ever before, and if you're keeping up on the latest at ThisWeekHealth.

com slash news, you'll see there's likely to be even more hospitals sold over the next year. So, heads up! If you're the acquiring organization, you're likely going to be signing one of these kinds of service agreements with the divesting health care system. Anytime something like this happens, it's of course painful for patients and families, but it's also painful for care providers and staff.

And it's easy to Start to feel like somebody should be to blame. But it's also really important to remember that Ascension is most likely a victim of a crime. And because of the widespread way it endangers patients lives, some might call it a terrorist event. Although I'm sure somebody's going to send me a note and say, no, there's a legal definition for that.

And it doesn't really fit the situation. But regardless, if you're like me, every day I see these. And it makes me angry. I would just say chin up, right? Let's all keep working on it. Clearly, cyber safety is patient safety, and that's just not a saying. That's the world that we live in today. I'll keep you updated.

And if there's any way I can help, just yell. Thanks again to our partner, ORDER, the exclusive sponsor of the 2 Minute Drill. ORDER continuously identifies and classifies hard to manage IoT and IOMT and OT devices, eliminating blind spots. You should also talk to them about ORDER AI Chasm. It's pretty cool.

It's available in the AWS Marketplace now. And that's it for the 2 Minute Drill. Thanks for your time today. Stay a little paranoid. I'll see you around campus.

Chapters

Video

More from YouTube