Ardent Health Services, a healthcare provider operating 30 hospitals across six U.S. states, disclosed today that its systems were hit by a ransomware attack on Thursday.
After the incident, it had to take its entire network offline, notify law enforcement, and hire external experts to investigate the attack's extent and impact.
"Ardent Health Services and its affiliated entities ("Ardent") became aware of an information technology cybersecurity incident on the morning of November 23, 2023, which has since been determined to be a ransomware attack," the organization said on Monday.
"As a result, Ardent proactively took its network offline, suspending all user access to its information technology applications, including corporate servers, Epic software, internet and clinical programs."
Impacted hospitals are currently diverting all patients requiring emergency care to other hospitals in their area. However, they can still provide medical screening and stabilizing care to patients arriving at their emergency rooms.
"Each Ardent hospital continues to evaluate its ability to safely care for critically ill patients in its Emergency Room as we work to bring hospital systems back online. This is rapidly changing, and the status of each hospital will be updated as the situation improves," Ardent added.
Patient care services are still active in Ardent's clinics, though certain non-urgent elective surgeries have been temporarily halted as the organization is working to restore encrypted systems.
There have been 209 publicly reported ransomware attacks on US health care organizations in 2023, up from 162 attacks in 2022, Allan Liska, a ransomware expert at cybersecurity firm Recorded Future, told CNN on Friday.
CNN — A network of hospitals in East Texas has not been able to accept ambulances to emergency rooms sinc Thanksgiving Day because of a “potential[cyber]security incident,” a hospital spokesperson told CNN on Friday.The hospital network, UT Health East Texas, is operating using “established downtime procedures” as the hospital investigates “a potential security incident” and works to bring computers back online, spokesperson Allison Pollan said in an email.
Pollan did not respond to subsequent phone calls seeking more information on the incident and how the hospitals were responding. She declined to answer further questions over email.
Headquartered in Tyler, Texas, UT Health East Texas operates 10 hospitals and more than 90 clinics in the region, and provides health care to thousands of patients annually, according to its LinkedIn page.
The East Texas health care system is just the latest hospital group that has been forced to turn ambulances away because of an apparent cybersecurity incident. The last nine months alone have seen cyberattacks divert ambulances from hospitals in Connecticut, Florida, Idaho and Pennsylvania.
The cyber incident at UT Health East Texas began on Thursday when the hospital network “became aware of a network outage” and moved to lock down its network, according to the hospital network’s statement to CNN.
The hospital network originally said Thursday that it expected computer networks to be “restored in the next 24-36 hours,” but it’s unclear if that will happen.
Officials at the Department of Health and Human Services, and US Cybersecurity and Infrastructure Security Agency (CISA) — two federal agencies charged with helping hospitals defend themselves from hackers — did not immediately respond to requests for comment. The FBI, which also responds to hacks of hospitals, did not immediately have a comment.
Federal officials and critical infrastructure operators such as hospitals and power plants are particularly wary of the threat of ransomware and other cyberattacks over long holiday weekends when many Americans have the day off — and cybersecurity teams may be stretched.
A ransomware attack shut down a medical diagnostic imaging firm in South Florida, shutting down several Central Florida locations, as well.
Earlier this month, a hacker accessed personal patient data at the Akumin site headquartered in Broward County, the firm said in a statement.
Which Central Florida offices were affected?
The outpatient radiology and oncology service announced Tuesday it was temporarily shutting down services throughout the state including seven Central Florida locations.
• Orlando - 7960 Forest City Road and 1150 S. Semoran Boulevard
• Deltona - 1555 Saxon Boulevard
• Winter Haven - 7524 Cypress Gardens Boulevard
• Kissimmee - 1503 W. Oak Street and 819 E. Oak Street
• Mount Dora - 7524 Cypress Gardens Boulevard
Akumin has 50 locations throughout Florida and is available in several other states.
Can past records be accessed?
Regarding accessing past medical records, Akumin said certain imaging results may be unavailable.
"Our systems are being restored with differing timelines. Please check with the clinic you visited to learn more about the availability of prior studies. We will provide updates on restoration as appropriate," it said in a statement.
Akumin also said it will alert patients once it can reschedule appointments, however, it has no timeline at this point.
Additionally, Akumin was found to have filed for Chapter 11 bankruptcy weeks after the cyberattack took place, according to a report by First Coast News, an NBC-affiliated station in Jacksonville.
KINGSTON, N.Y. – Patients are being moved from HealthAlliance Hospital after a cyberattack that is under investigation by law enforcement, according to Westchester Medical Center Health Network, the owner of HealthAlliance.
“HealthAlliance Hospital, Margaretville Hospital and Mountainside Residential Care Center experienced a cyberattack that has impacted our IT systems,” the company said in a statement on Thursday afternoon after an inquiry from the Freeman. “After discovering this attack, we quickly notified the New York State Department of Health and Ulster and Delaware County officials of the situation, and have been working with law enforcement officials, including the FBI and a third-party cybersecurity firm, to determine the scope of the attack and specifically what systems were impacted. That investigation is ongoing.”
“All current HealthAlliance Hospital inpatients will be discharged from the hospital or transferred to other hospitals in the WMCHealth Network,” the hospital said in an email when pressed for details. “A dozen inpatients were either discharged or transferred today,” a follow-up email said on Thursday evening.
In October, the US Food and Drug Administration will start rejecting medical devices that lack a secure design or a post-market cybersecurity plan.
For six months, medical device makers have had to comply with new cybersecurity regulations aimed at hardening medical devices against cyber attacks, but the US Food and Drug Administration has largely refrained from using its "refuse to accept" power up to now.
On Oct. 1, the FDA's grace period — during which the agency stated it would try not to use its ability to reject medical devices that lack appropriate cybersecurity controls and a post-market patching capability — will end. The manufacturers of medical cyber devices must now submit plans to monitor and patch post-market cybersecurity vulnerabilities, have a process in place for the secure design and development of devices, and provide a software bill of materials (SBOM) to the FDA. Those who do not satisfy the requirements could have their devices rejected on the grounds that they pose too great a cyber risk.
The agency's focus on medical-device cybersecurity stems from Congressional passage of an omnibus appropriations act in December 2022 that included a section, "Ensuring Cybersecurity of Medical Devices," requiring medical-device manufacturers submit cybersecurity information to the FDA regarding any cyber device. The powers granted to the FDA, which went into effect in March, could go a long way toward forcing the makers of medical devices to consider and plan for vulnerabilities and cyberattacks, says Ty Greenhalgh, industry principal for healthcare at Claroty, an IoT security firm.
"This legislation addresses specifically that you have to do something about patching and updating on the new devices, and how are you going to get patches and updates out over the lifecycle in a reasonable time," he says. "The way this is set up, it's given broad authority for interpretation to the FDA on what it takes to get medical devices cyber-secure and what are the penalties, if you are not compliant with their interpretation."
The FDA, which allocated $5 million of its budget to medical device cybersecurity, could change that.
"Cybersecurity exploits are one of the most substantial threats faced by this nation, and the impact is particularly harmful for our health care system, where vulnerabilities could compromise entire hospital systems or disrupt manufacturing of countless devices if they are impacted," the FDA stated in its annual appropriations estimate. "Ultimately, these threats are of national security concern because if they go unchecked, they could cripple healthcare delivery."
Putting these new requirements into law is a first step, but is far from being an answer in and of itself, says David Brumley, a cybersecurity professor at Carnegie Mellon and CEO of software security firm ForAllSecure.
"We're building a muscle at this point, and that muscle isn't gonna allow us to lift this open-source [security] weight yet. But if we don't start building this muscle we won't be able to in 20 years," he says. "I just wish that they took it a step further, to say how they're going to hold people responsible, and what powers they have to hold people responsible."