Ascension Providence's parent company digging out of cyberattack fallout (2024)

Six weeks after a cyberattack on Ascension Health compromised medical records and disrupted patient care protocols, the health care giant that includes Waco’s Ascension Providence is pushing toward normalcy.

The cyberattack sent tremors through the Ascension system, here and elsewhere, forcing some hospitals to reschedule appointments and medical procedures. Staffers, including physicians, reportedly resorted to using pen and paper as computer functions languished.

Ascension has updated its progress online, but did not respond to questions this week from the Tribune-Herald about problems that might have hampered or delayed treatment at Ascension Providence. The McLennan County Medical Society, which represents local physicians, also did not respond to an inquiry.

In a June 14 “Cybersecurity Event Update,” Ascension said it is “pleased to announce that electronic health record (EHR) access has been restored across our ministries. This means that clinical workflow in our hospitals and clinics will function similarly to the way it did prior to the ransomware attack.

“This also means patients should see improved efficiencies in appointment scheduling, wait times for appointments and prescription fulfillment. However, our investigation into this incident is ongoing, along with the remediation of additional systems,” the update stated. “Access to patient portals has also been restored in each community we serve.”

But Ascension warned that medical records and other information collected between the May 8 cyberattack and when local electronic medical records were restored “may be temporarily inaccessible as we work to update the portal with information collected during the system downtime.”

It says due to high volumes, Ascension’s responses to messages sent via the patient portal “may experience a slight delay.”

What happened to St. Louis-based Ascension reflects a troubling trend, that of cyberattackers targeting health care systems.

Hackers are attracted to health care data available online, said Jeremy McCormick, who oversees the McLennan Cyber Defense Center with McLennan Community College and serves as director of training for the Central Texas Cyber Initiative, in collaboration with Baylor University.

McCormick said he knows no particulars about the Ascension cyberattack, though he learned about its ramifications when a relative gave birth at Ascension Providence, “and everything was being filled out by hand.”

“Everything went well, a happy baby,” said McCormick.

Hospitals and clinics “hold electronic personal health information that cybercriminals sell on the dark web,” he said.

Having gained access to details about patients, including name, address, date of birth and Social Security number, hackers have all the ingredients needed to steal identities, said McCormick, and some entities are amenable to paying ransom demands.

McCormick said health care providers place priority on saving lives, and sometimes cybersecurity becomes an afterthought.

“These places use equipment that is not protected, not encrypted. These include smaller devices such as insulin pumps or heart monitors not high-powered enough to introduce encryption in communication back to the doctor,” said McCormick, mentioning data vulnerability.

He said health care facilities often have older systems, which he called “legacy equipment,” that may contain few if any cybersecurity features.

Health care entities “are high-profile targets, and when their systems go down, there is a lot of pressure to come back on immediately,” said Hunter Isham, director of Scinary Cybersecurity’s operations center in Waco. “(Hackers) put a ransom out there, say, ‘Pay us, or we will release everything we have.’"

Often, said Isham, mistakes by end-users compromise data, not “crazy hackers,” and educating those users can prevent headaches.

Healthcare Dive, an online magazine, reported in March 2023 that cyberattacks had exposed 385 million patient records between 2010 and 2012. It said hacking incidents at health care firms “have skyrocketed in the past five years as cybercriminals demand ransoms in exchange for restoring access to sensitive medical data.”

The magazine said increased use of electronic records and digital services aggravates the problem.

Ascension, a nonprofit Catholic health care system, includes 140 hospitals and 35,000 affiliated providers in 19 states. A system that size, said McCormick, would have its own cybersecurity department. After the cyberattack of May 8, Ascension announced it would seek assistance from Mandiant, a company specializing in cybersecurity issues.

But as attacks increase, the cybersecurity industry is lacking manpower, with 40,000 vacancies in Texas alone and a half million nationwide, McCormick said.

“When you have such a workforce gap, it’s hard to catch up,” McCormick said.

He said data systems need a level of due diligence including detection and prevention, network monitoring, watching traffic and knowing vulnerabilities.

“Most attacks come through known vulnerabilities that have not been patched, have not been fixed,” said McCormick.

Change Healthcare, which processes health care transactions numbering in the billions, suffered a hack that affected hospitals, pharmacies and other health care providers, Baltimore Public Media reported online. A company official said it paid a $22 million ransom. The breach was made possible, said the online report, because the company portal did not have “multifactor authentication, a basic cybersecurity tool.”

McCormick said the Central Texas Cyber Initiative is doing what it can to fill vacancies in cybersecurity. It hosts summer cyber camps, and hopes to create pathways to training for junior high and high school students that may include internships with local business and industry. The goal is turning out people with two-year or four-year degrees in cybersecurity.