This month, a ransomware attack on the second-largest U.S. nonprofit health system, CommonSpirit Health, left IT locked, delayed surgeries and caused widespread disruption in patient care. It left millions of patients, across 142 hospitals in 21 states, waiting at least two weeks to learn if their personal information was compromised, Axios reports. "We don't know what was disrupted," said Barak Israel, chief information security officer of Boston-based Cybereason. he latest attack comes as the Biden administration examines how to beef up minimum cybersecurity standards within critical infrastructure like health care, the Washington Post reports. This year, there has been nearly a 50 percent increase in interactive intrusion campaigns, with some of the most notable increases against health institutions. In 2021, 45 million individuals were affected by healthcare attacks, up from 34 million in 2020. At least 68 health care providers in the U.S. were affected by ransomware in 2021, including multiple hospitals and health systems that reached a total of 1,203 sites..
Health systems remain vulnerable to threats. They are highly complex, relying on supply chains and connections with numerous clinics and vendors. Health systems also have fewer incentives to prioritize their cybersecurity, said Grant Elliot, CEO of risk management platform Ostendio. "There's a distinct lack of enforcement within health care generally and, as a result, there's not a huge amount of consequence to these organizations for not building an effective security program," he said. A 2020 study by CybelAngel revealed more than 45 million X-rays, CT scans and other medical images could be accessed on unprotected servers, unencrypted and without password protection. CommonSpirit confirmed it is working to bring systems back online, but it will take time to restore full functionality. There is no consensus in the industry on the best way to handle a ransomware attack, Elliot said. It can take health systems a while to establish what information has been compromised. The biggest concern from the rising threat of ransomware attacks is the impact on patient safety. The speed and specificity of hospitals' communicating the threat to patients is critical.