Cyberattacks on Ascension, Lurie are the latest in a string of health care breaches

First, they went after Lurie Children’s Hospital in Chicago.

Next, cybercriminals attacked Ascension, a large nationwide health system with 14 hospitals in Illinois.

In both cases, the hospital systems kept providing care, but took down their electronic health record systems and MyChart online patient portals.

It took more than a month for Lurie to get all of its systems back online after the January cyberattack. Ascension — which rescheduled some nonemergency surgeries and temporarily diverted some ambulances as a result of a hack earlier this month — is still untangling the mess.

“We are focused on getting systems back up and running as safely and as quickly as possible,” Ascension said in a statement Wednesday. “Please be aware that it may still take some time to return to normal operations.”

Lurie and Ascension are hardly alone when it comes to battling increasingly sophisticated cybercriminals going after health care organizations. Last year, a record 725 large health care security breaches were reported to the U.S. Department of Health and Human Services Office for Civil Rights, according to the HIPAA Journal, which covers news related to the Health Insurance Portability and Accountability Act. The number of large, reported health care breaches increased by 93% between 2018 and 2022, according to the health and human services department.

“They keep coming,” said Ashraf Shehata, U.S. sector leader for health care for KPMG, an accounting and advisory firm. “When there’s a successful attack, you’re going to see more and more and flow into that space.”

Cyberattacks have been a problem facing many industries for years. But health care systems are particularly attractive targets for cybercriminals because of their size, their dependence on technology and the large amounts of sensitive data they hold, according to the health and human services department.

Hospitals and health care systems have patients’ names, medical histories, billing information and addresses on file, among other things.

And when hospitals are hit with a cyberattack, the consequences can be dramatic.

In addition to postponing some appointments and surgeries, caring for hospital patients became more difficult for a time after the attack, said nurses at one Ascension Illinois hospital.

Hospitals typically take down some of their electronic systems following a cyberattack in order to isolate the problem, and to prevent hackers from doing any further damage, experts say. But that lack of access to electronic health records and systems is challenging, nurses say.

For a day or so after the attack, nurses couldn’t automatically see when doctors entered orders for patients, such as for tests and medications, said Paula Koranda, a staff nurse at Ascension Saint Joseph-Joliet hospital. They only learned about an order if they spoke with the doctor, she said.

Also, normally, when administering medication, nurses scan barcodes on the medication containers and on patients’ hospital bracelets to make sure they’re giving the right medication to the right patient. They also temporarily lost the ability to do that after the attack, Koranda said.

Koranda, who said she has been a nurse at the hospital for 48 years, remembers how those tasks were done before computers, with paper and pen. But many nurses aren’t used to working like that, she said.

“It was definitely very hard to make sure we were very safe with the patients and the patients got everything they needed when we went down,” Koranda said.

An Ascension Illinois spokeswoman did not comment on the specific concerns, but Ascension said on its website: “Caring for our patients remains our highest priority. We understand there may be concerns, but our workforce is well trained in providing patient care with established downtime procedures.” Downtime procedures include moving to pen and paper for tasks, including dispensing medication, inputting medical records and ordering tests, Ascension said on its website.

Ascension also placed Ascension Alexian Brothers-Elk Grove Village hospital on ambulance bypass — meaning ambulances were told to bring new patients elsewhere — for about 14 hours following the attack.

Hospitals can also face serious financial consequences after a cyberattack. Last year, one rural Illinois hospital — St. Margaret’s Health-Spring Valley — closed its doors after a cyberattack. Hospital leaders blamed the facility’s demise partly on the COVID-19 pandemic, the cost of agency nurses and a “computer hacking” that damaged its ability to bill for its services, in a document submitted to the Illinois Health Facilities and Services Review Board.

In some cases, hospitals also face lawsuits from patients who sue following cyberattacks. At least two people have already filed lawsuits against Ascension in the days since it announced the cyberattack. Ascension Saint Mary-Chicago patient Katherine Negron filed a lawsuit seeking class-action status in U.S. District Court for the Northern District of Illinois on May 12, alleging Ascension failed to safeguard patients’ personal information, putting them at greater risk of identity theft and fraud following the data breach. Another lawsuit was filed in federal court in Texas.

Cybercriminals hope that the consequences of attacks on hospitals are so severe that hospitals will give them what they want. Ascension has confirmed that the cyberattack on it involved ransomware, which is a type of malware that encrypts files in a system, rendering them unusable unless the owner pays a ransom.

The FBI and the National Cybersecurity Alliance don’t recommend paying ransoms in ransomware attacks. But some health care organizations, desperate to get back to normal operations, pay the ransoms.

UnitedHealth Group confirmed that it paid a ransom to the perpetrators of the cyberattack against Change Healthcare earlier this year — an attack that made it difficult for providers to get paid by health insurance for services. The CEO of UnitedHealth Group told lawmakers that the company paid a $22 million ransom. UnitedHealth Group said the attack cost it nearly $900 million.

Nearly 12% of 229 cybersecurity professionals who responded to a 2023 Healthcare Information and Management Systems Society (HIMSS) Healthcare Cybersecurity Survey said their organizations experienced ransomware attacks in 2023. About one quarter of those people said their organizations paid the ransom.

Part of the reason health care has become a popular target for ransomware and cyberattacks in recent years may also be because health care was slower than some other industries, such as the financial industry, to prioritize cybersecurity, said Lisa Plaggemier, executive director of the National Cybersecurity Alliance.

The health care industry spent years focused on simply putting modern systems, such as electronic health records, in place, Shehata said.

“Health care, as an industry, is also likely going to have to catch up to some industries that have been in this automated world a little longer,” Shehata said.

The health care industry has, however, slightly increased its spending on cybersecurity recently. For a time, health organizations tended to spend 6% or less of their information technology budgets on cybersecurity, said Lee Kim, HIMSS senior principal of cybersecurity and privacy. They’re now spending, on average, at least 7% or more on cybersecurity, according to the 2023 HIMSS survey. Nearly 58% of respondents to the HIMSS 2023 survey said they expected their cybersecurity budgets to increase in 2024.

Health care providers still don’t spend as much as other industries, such as banking and financial services and software publishing and internet services, according to Gartner, a global research and advisory company.

But health care leaders recognize that cyberattacks are a problem, and they’re not going away. If anything, health care systems must now figure out how to adapt their cybersecurity defenses to deal with new technologies, such as artificial intelligence, experts say.

“Health care is one of the very few industries where pretty much everyone is impacted when a cyberattack happens,” Kim said.