Hospital giant's IT still poorly a week after suspected ransomware infection

Updated Computer systems are still down at CommonSpirit Health – America's second-largest nonprofit hospital network – more than a week after it was hit by a somewhat mystery cyberattack.

The US's largest Catholic healthcare provider remains very tight-lipped about the root cause of this digital breakdown, and when it expects its systems to come back online. At one point, and this may still be the case, access to electronic patient records and shift scheduling tools was cut off, treatments were delayed, and ambulances were diverted as a result of the snafu. Staff were reportedly forced to use pen and paper.

In a statement that seems to be shrinking over the course of the ongoing downtime, which reportedly began on or around October 3, the Chicago-headquartered organization said it identified "an IT issue" affecting "some" of its more than 1,000 medical facilities across 21 states.

"We have taken certain systems offline," the statement reads today. Last week, the notice said this included "electronic health record (EHR) and other systems," and blamed "an IT security issue." That detail is missing from the latest missive, linked from the CommonSpirit dot-org website.

"We are continuing to investigate this issue and follow existing protocols for system outages," the update now reads.

A CommonSpirit spokesperson declined to answer The Register's questions about the situation, including those about its scope, remediation activities, and whether it was a ransomware attack, and instead directed us to the "IT issue" statement on the website.

NBC News, citing "a person familiar with its remediation efforts," said the healthcare org was a victim of a ransomware infection.

Infosec experts have supported this conclusion. And Emsisoft analyst Brett Callow, when asked about the CommonSpirit drama, told The Register: "Statistically speaking, a ransomware attack is the most likely explanation for an incident such as this."

Meanwhile, reporters and purported employees of affected hospitals tell stories of overwhelmed emergency room nurses calling 911 for help and medical treatments being postponed due to these system outages.

A person who claimed to work for CommonSpirit posted over the weekend on a Reddit board for nurses complaining that IT systems including patient record software Epic, payroll tools, shift scheduling suite Kronos, and the company intranet were down.

"It is a nightmare," the person said, claiming employees get more information about the cyberattack from the media than from hospital management. "Paper charts only, no organization, no standardization, no leadership in sight. Depending on the unit, some have organized charts and some just have charts thrown all over the place with papers rubberbanded."

Medical staff can't review patients' history, the pharmacy can't verify orders, and lab results are faxed between providers, the Reddit user alleged. "So meds and lab turnaround are hours for anything not stat."

• Huge nonprofit hospital network suffers IT meltdown after 'security incident'
• Ransomware gang threatens 1m-plus medical record leak
• Healthcare organizations face rising ransomware attacks – and are paying up
• Hive ransomware affiliate zeros in on Exchange servers

A Register reader who said her daughter is a nurse at a CommonSpirit hospital, which we have chosen not to identify, said the facility has patients on dialysis machines without current lab reports, and IV medications coming from the pharmacy have hand-written labels "without correct order information."

"Most of the nursing staff is unfamiliar with doing paper charting and handwritten information leads to errors," they told us.

In April, the US Health and Human Services (HHS) agency warned healthcare orgs about the Hive ransomware gang, which HHS described as an "exceptionally aggressive" threat to the health sector. 

At least 15 US healthcare systems operating 61 hospitals have been hit by ransomware so far this year, according to Callow. In at least 12 of these infections, miscreants got hold of data including protected health information. ®

Updated to add

Surprise, surprise: CommonSpirit now says it was hit with ransomware. In an updated statement, the hospital chain said: