Ambulance speeding blurred motion showing ransomware attack on health services

Ardent Health Services Ransomware Attack Impacts Six States, Forces Diversions From Emergency Rooms

A ransomware attack on Ardent Health Services, a network of 30 hospitals that spans six states, disrupted emergency rooms and caused some patient diversions for at least two days in addition to taking down the patient portals used to schedule appointments and a system used for remote video conferencing with doctors.

The incident is uncomfortably similar to a ransomware attack that took place in Germany a little over three years ago, often cited as the first to cause a death directly attributed to a cyber attack. Thus far Ardent Health Services seems to have been able to successfully route incoming patients to other nearby hospitals, though some patients may have had to seek care at added expense at an urgent care clinic due to the assorted service outages.

Ardent Health Services attack causes defensive network outages

A November 27 data breach notification from Ardent Health Services indicates that the ransomware attack began on the morning of November 23. The organization says that it proactively took many parts of its network offline to contain the attack, likely leading to the assorted outages that have persisted in several days. ERs appeared to have the most widespread diversions in place on the day of the attack, with about half reportedly restoring their capacity to see patients on the 24th.

Ardent Health Services says that it is working around the clock to restore all systems, but as of this writing it appears that some services are still offline. The organization reports that all emergency departments are currently performing initial screenings and stabilizing care to arriving patients, but some may still be on divert for certain functions. Some non-emergency surgeries and other procedures are being rescheduled.

The organization has yet to confirm or deny any patient or financial information being stolen in the attack. The MyChart patient portal and On-Demand Video Visits were temporarily taken offline, and as of this writing it appears the Ardent Health Services website is continuing to have sporadic trouble loading pages. The organization does not yet have a firm timeline for full restoration of function.

Full picture of ransomware attack damage remains unclear

Ardent Health Services operates 30 hospitals and about 200 additional patient care facilities that span six states. There are 25 emergency rooms among these locations which can be found in Idaho, Kansas, New Jersey, New Mexico, Oklahoma and Texas.

There is still no indication as to who is behind the ransomware attack, though that is not unusual in the early stages of these incidents as the attackers hold out hope of negotiating a payment. Ransomware attacks on hospitals have become popular in recent years due to the combination of added pressure on the victim to pay to restore normal function, and the possibility of stealing valuable patient records that can be sold in lieu of a payment.

At one time it was not uncommon for ransomware groups to declare health services off limits, sometimes even providing unlock keys to these organizations for free when they were hit by an affiliate. That social more seems to have fallen by the wayside as the ransomware market has tightened up, however, due to a combination of more aggressive law enforcement action against the biggest groups and a cyber insurance market that is increasingly turning businesses away. In a recent attack on a Pennsylvania health services system by notorious ransomware gang BlackCat, sensitive pictures of breast cancer patients were leaked on the dark web as a means of applying pressure.

Ransomware attacks bad enough to force patient diversions are also becoming more common. One took place in Florida in February, forcing Tallahassee Memorial HealthCare to divert EMS patients for a short time. In May, an attack on Mountain View Hospital in Idaho also caused some ambulance diversions for about a day.

Alex Heid, Chief Research Officer at SecurityScorecard, expects this to continue: “Looking at the broader picture, the digitization of healthcare (both paperwork & equipment) makes it an established, growing, and attractive target for cybercriminals. We’ve seen tragic outcomes in the past due to ransomware attacks on healthcare facilities, such as the 2020 incident in Germany that resulted in loss of life. From an outsider’s perspective, it seems Ardent Health Services’ actions aligned with industry best practices for incident response. Their proactive engagement with CISA, rapid investigative follow-up, and transparent communication with partners and the public exemplify how organizations should respond to such threats. While no organization will ever be 100% insulated from a cyber attack, the company response – how quickly they detect, disclose, remediate, and prevent future incidents – will define their success in navigating the storm.”

There is also something of a trend of potentially highly disruptive ransomware attacks on critical infrastructure (such as health services) landing on weekends, particularly long holiday weekends. The Ardent attack was timed to land on the morning of Thanksgiving Day, a Thursday that kicks off a four-day weekend for many employees (including some amount of IT staff). In addition to Thanksgiving, the summer holiday weekends of Labor and Memorial Day have proven to be popular attack launch points as well as July 4th and New Years Eve.

Jess Parnell, CISO at Centripetal, notes that ransomware should be expected to be a continuing and major threat over at least the next few years: “The bad guys are probing and doing reconnaissance constantly to see what can or can’t get through the network. And they are quickly changing their tactics to increase their success rate. That’s why organizations run out of human runway quickly and why their infrastructure is quickly overloaded. And even with all the spending on cybersecurity that we see, the only thing that organizations know for sure is that their exposure to cyber risk is only going up and up and up. Companies must implement ongoing patch management and deploy proactive cybersecurity solutions to protect their valuable assets. Attackers can exploit vulnerabilities faster than IT can patch them, so active defenses can buy you time.”

Dr Ilia Kolochenko, Chief Architect at ImmuniWeb, notes that improved regulation and government support is very likely to be necessary to keep health services safe going forward: ” … healthcare industry cybersecurity budgets are usually smaller compared to most other industries, especially when dealing with small medical clinics or governmental entities. Healthcare institutions also struggle to hire cybersecurity talent amid tough competition on the market. Eventually most hospitals remain under-protected and exposed even to simple variations of cyber attacks. In the EU, with the arrival of NIS 2 directive, the situation may get slightly better but it will unlikely make any fundamental change: healthcare institutions will not magically start printing money and investing it in their cyber resilience. Akin to GDPR, NIS 2 may slightly improve the overall situation but is far away from resolving cybersecurity issues in healthcare industry. Thus, ransomware attacks will likely continue their steady growth making new victims in healthcare sector.”