CommonSpirit Ransomware Attack Holds Lessons for Cybersecurity
By Greg Freeman
The recent ransomware attack on a health system illustrates the need for proper cybersecurity measures. The system may have been vulnerable because of recent mergers and acquisitions.
- Cyberattacks are increasing.
- Extensive planning and tabletop exercises are necessary.
- Hackers may target less-crucial systems with less security.
A ransomware attack on a large health system forced it to shut down electronic health records (EHRs) and cancel appointments — and there are indications it may have threatened patient safety. Hackers might have exploited weaknesses that resulted from a series of mergers and acquisitions.
CommonSpirit Health announced the “IT security incident” in October 2022. Based in Chicago, the health system operates 142 hospitals and more than 2,200 sites of care in 21 states. After the initial announcement, CommonSpirit confirmed the incident was a ransomware attack. The health system said it notified law enforcement and immediately began a forensics investigation.
Details regarding the nature of the attack have not been made public, but this probably was a phishing attack that led to the eventual ransomware infection, says Andy Rogers, senior assessor at Schellman, a global independent security and privacy compliance assessor in Indianapolis.
Over the course of 2021, the number of phishing (email), smishing (SMS text messages), and vishing (phone) social engineering attacks have spiked dramatically, Rogers says. The number of attacks quadrupled from about 82,000 reported attacks the previous year to 320,000, according to the 2021 IC3 Internet Crime Report.
“I don’t believe this is any coincidence with how much cryptocurrency has grown in popularity, and ransoms are consistently being paid by the victims,” Rogers says. He notes hackers have become so sophisticated they will sell or rent ransomware tools to others, a practice known as Ransomware as a Service.
“I’m not saying that CommonSpirit was exploited through one of these platforms, but its popularity has spiked to the point it’s an organized crime business unit with even a technical support line,” Rogers explains. “Ransomware has become a go-to means for compromising and motivating victims to deposit cryptocurrency into attackers’ wallets.”
May Have Targeted Top Administrators
Rogers suspects the ransomware entered through a targeted email to a hospital domain administrator or database record administrator. Ordinary users often are targeted, but success with a higher-lever administrator provides more access.
“The best offense is a solid defense. If those records had been backed up to the cloud or even an offsite data center that not everyone had access to by default, the ensuing chaos could mostly have been prevented,” Rogers notes. “It would have been as easy as restoring the compromised systems from backup. This would have, at most, kept any affected facilities and systems down for a day or two instead of going on more than a month now.”
Another good practice is implementing the principle of “least privilege,” Rogers says. This means granting people the least access they need to complete their work, rather than giving everyone access to everything because everyone is thought to be trustworthy.
“Unfortunately, it only takes one misguided person to knock down the house of cards. When a person always logs in to the systems and servers in the environment with full ‘God mode’ access, this can be problematic,” Rogers says. “No one should ever — except under specific circumstances — have access to the God mode account, which would be the domain administrator or root account. Everyone should log in under their own account specific to the role they hold with access permissions to reflect their role.”
Rogers also recommends using multifactor authentication (MFA) wherever possible. Many hospital systems leverage embedded operating systems or use antiquated systems that are unable to provide MFA. Still, wherever possible, a second form of authentication should be enabled and used to prevent someone who has compromised a user’s first form of authentication (usually username and password) from logging in unfettered.
A detailed incident response plan (IRP) also is important. Critical scenarios can be handled more effectively by putting an IRP in place and testing it. This plan may include providing physical copies of records or mirroring records to third-party hospitals to pick up the slack. Education in good cybersecurity practices also is crucial.
“While these tips won’t make the organization bulletproof, they will go a long way in equipping the organization with the tools they need to prevent all but the most determined attacker — and even then, it will limit the breadth and depth of the compromise,” Rogers says.
M&A Might Have Left Weaknesses
One thing to note is CommonSpirit may be a bit of an outlier when it comes to cybersecurity risks, says Colin J. Zick, JD, partner with Foley Hoag in Boston. The company’s size and number of acquisitions probably has made them more vulnerable than most, he suggests.
CommonSpirit Health was formed in 2019 by the merger of Dignity Health and Catholic Health Initiatives. Both included many treatment sites and affiliated organizations.
In terms of integration, the back-end work regarding IT and cybersecurity often is the last to be completed. “If you’re exposed back there, or you don’t know you’re exposed back there, that can cause a lot of problems. You could be exposed in myriad ways because they’re different systems you have integrate. That just gets really hard,” Zick says. “That’s one thing to look at if you’ve been involved in a lot of recent acquisitions. You have to look and ask if you’ve given the appropriate attention to getting all our systems up and protected.”
Zick recalls working with one organization that removed the firewalls from the companies it acquired to facilitate the acquisitions. After the integration was complete, they never reactivated the firewalls.
“The other thing that has struck me [about the CommonSpirit attack] is just how long it’s taken them to get back up and running. That suggests these were significant attacks,” Zick says. “But it also suggests a certain lack of preparation. The information I’m seeing is that it took them more than two weeks after the reporting beginning of the attack to restore some EHR functions. That suggests that there wasn’t an effective plan in place to respond to this ransomware attack.”
Healthcare leaders should take the opportunity to learn from other people’s misfortune, Zick says. He notes that as important as cybersecurity is in healthcare, it is not the only priority in the C-suite. CommonSpirit reported a $400 million net loss for the opening quarter of their fiscal year 2023. Zick wonders if that contributed to their vulnerability.
“Kind of hard to make the case that we’re going to spend a lot of money on cybersecurity when you’re trying to fill that size hole,” he says. “Everybody’s talking about cuts, where can we cut. If you’re cutting, you’re certainly going to be challenged to get a significant investment in cybersecurity. You know they’re bombarded on all sides at the present moment. That just makes it really hard to get the resources in place.”
Hackers are aware of the situation, and they know mergers and acquisitions can introduce vulnerabilities. “If I were a hacker, I would look for more providers who have just had big mergers, as they make some really nice targets,” Zick says. “If you’re in that boat, you’re at increased risk, and should take more precautions.”
European Turmoil Influences Attacks
Escalating political tensions in Eastern Europe also could put healthcare organizations at more risk of a cyberattack, says Israel Barak, chief information security officer with Cybereason, a cybersecurity company headquartered in Boston. Barak notes 2021 was a good year for international relations in terms of trying to curb ransomware gang activity, with Russia cracking down on a large ransomware gang. That suggested more cooperation in curbing that type of cybercrime rather than Russia providing safe harbor for cybercriminals. The invasion of Ukraine and the subsequent international turmoil may have ended that optimism. There has been a recent uptick in aggressive ransomware attacks.
“I think, bottom line, the probability of the risk has increased dramatically since the middle of 2021. As political tensions continue to escalate, I think we can expect to see less and less of any Russian activities to try to curb the aggressiveness of these gangs,” Barak says.
Large, complex healthcare organizations must pay attention to every unit, Barak says. Many clinics, providers, and other hospitals that are part of your network can access your systems, but they do not all share the same level of security practices and maturity.
“Some of them are very, very early on in their maturity life cycle — think clinics and small providers. Others are very mature, like sophisticated, large hospitals,” Barak explains. “You create a situation where the strength of the chain is the strength of its weakest link because they all have access to those systems. It’s enough to breach one of those links in the chain in a supply chain to actually breach that entire network.”
Another challenge is maintaining focus and intensity in cybersecurity efforts. With a highly publicized incident like the CommonSpirit attack, there can be a blip in the level of awareness of executive leadership and more willingness to address the risk.
“One of the challenges for us as security practitioners is to make sure that blip doesn’t last for only two or three weeks after the incident. Rather, we need to keep it in conscious awareness of executive leadership on an ongoing basis,” Barak says. “The sad reality of most organizations is there is a temporary effect right around an incident like CommonSpirit, but it subsides.”
Interoperability at Play
The push in recent years for interoperability creates more cybersecurity risks for healthcare organizations, says Kim Biddings, vice president of product with BIO-key, a company based in Wall, NJ, that provides access management solutions. Combined with mergers and acquisitions, the effect can be a “nesting” of organizations inside organizations.
“Health systems consolidate and go underneath umbrella corporations or umbrella institutions. They started, but they’ve done a really, really bad job centralizing it and centralizing technology,” Biddings says. “I think for a risk leader, one of the things to realize is that if you have two or three or four hospital systems, and they all use a different EHR, it can easily take six months.”
With CommonSpirit forming from a huge merger and acquisition in 2019, it is unrealistic to expect their systems are fully integrated, Biddings says. Healthcare organizations should conduct a risk assessment on any entity it will be buying or partnering with, as well as any entity that will have access to the technology.
Biddings notes healthcare organizations might take longer to recover from ransomware attacks than in the past. She worked with healthcare entities in 2016 that recovered within a week, but the CommonSpirit outage was longer. Recently, Biddings reviewed breach reports filed with HHS and noted most of them were due to hacking.
“There are definitely lessons we should have learned by now. But I also am not sure what to say at this point if we aren’t learning the lessons. This isn’t a new problem,” Biddings laments. “If anything, it’s just becoming more and more of an issue. I would attribute a lot of this to the consolidation kind of ecosystem merger that’s happened. You can’t connect IT systems that quickly and not assume that there’ll be security gaps.”
Geofencing can be another safeguard against cyberattacks, says Richard Sheinis, JD, partner with Hall Booth Smith in Charlotte, NC. This tactic uses technical solutions to build a virtual fence around an organization with parameters set by leadership. The geofencing can prevent contact from someone outside the fenced area, or at least alert the organization to a contact outside the zone.
“Is there a reason that an IP address in Malaysia, for example, should be able to access your system?” Sheinis asks. “That can be a line of defense, but it is not enough on its own because the threat actors have certainly gotten better. If it’s a person in Malaysia, Russia, or wherever, they will bounce their signal around and use a bot that might be located somewhere in the United States. That is the final IP address that is accessing the victim’s environment.”
Healthcare companies are a prime target for cyberattacks, says Stephen Manley, chief technology officer at Druva, a cybersecurity company headquartered in Santa Clara, CA.
“To an attacker, healthcare companies are sitting on a gold mine. Patient information is priceless, both intrinsically and in terms of setting up future phishing attacks,” Manley explains. “Furthermore, no healthcare organization wants to reduce service to patients while fighting off an attack, so attackers expect the ransom will usually be paid.” Also, healthcare organizations store more data in more locations than almost any other industry, which means the attack surface is substantial, he says.
The attackers will target what you do not expect, Manley says. The attack on CommonSpirit apparently did not compromise their most critical, well-protected services. “There is no impact to clinic, patient care, and associated systems,” the company noted. Instead, the cybercriminals brought down “electronic health records and patient portals.”
“Regardless of the industry, we see the attackers compromising secondary systems because they are less well protected,” Manley says. “The results, however, are still devastating.”
Organizations with an incident response plan are far more successful than those without one, Manley says. The plan must be cross-functional, including IT, security, legal, public relations, executive management, and the board. While more organizations are planning for how to run forensics and recovery, CommonSpirit showed the value of a good public relations plan. On Oct. 4 and Oct. 5, they posted short, honest messages.
“As they worked through their incident response, they added more detail. The biggest mistake organizations make is [delivering] bold, detailed statements early on — and then having to walk them back,” Manley says. “Incident response is not a security or IT function. It is a comprehensive business function. Prepare for it.”
It is not the question of if a breach will happen — it is when. “You will not be able to solve this challenge alone. You need to work with companies that can help you prepare, work with colleagues across the industry, and learn from every published incident,” Manley says. “Healthcare is a target, and the attackers are coming for what you least expect.”
Insurers Can Provide Resources
Do not forget your insurer can be a good resource during a cyberattack, says Tim Francis, enterprise cyber lead with Travelers, an insurance company in Hartford, CT.
During a ransomware attack, minutes matter. Companies should immediately begin following incident response plans. Those steps can include alerting the authorities or notifying an insurance carrier if a cyber policy has been secured and could be triggered.
“An insurance carrier can help in a number of ways, such as lining up specialists to conduct a forensic investigation and contact the cybercriminals to negotiate or sometimes pay the ransom,” Francis says. “With the personal and sensitive information being stored and protected by healthcare providers, it’s imperative that a proper response is implemented once a ransomware attack has been detected.”
- Israel Barak, Chief Information Security Officer, Cybereason, Boston. Phone: (855) 695-8200.
- Kim Biddings, Vice President of Product, BIO-key, Wall, NJ. Phone: (866) 846-2594.
- Tim Francis, Enterprise Cyber Lead, Travelers, Hartford, CT. Phone: (800) 842-5075.
- Stephen Manley, Chief Technology Officer, Druva, Santa Clara, CA. Phone: (888) 821-0592.
- Andy Rogers, Senior Assessor, Schellman, Indianapolis. Phone: (866) 254-0000.
- Richard Sheinis, JD, Partner, Hall Booth Smith, Charlotte, NC. Phone: (980) 859-0381. Email: [email protected].
- Colin J. Zick, JD, Partner, Foley Hoag, Boston. Phone: (617) 832-1275. Email: [email protected].
A ransomware attack on a large health system forced it to shut down electronic health records and cancel appointments — and there are indications it may have threatened patient safety. Hackers might have exploited weaknesses that resulted from a series of mergers and acquisitions.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.