Breaking Compliance News Blog

Health System Ransomware Attack Lingers…

Posted by Scott Gima on 11/22/22 10:08 AM

maximize ransomware defense

CommonSpirit hospitals reported IT issues on October 3rd with a response that included taking systems offline, including their electronic medical records. CommonSpirit has 140 hospitals in 21 states.

According to, based on website information, hospitals in seven states have been impacted. Scheduling issues and procedure delays have been reported.

Systems being restored. On November 9, CommonSpirit announced that it continued to “work diligently to bring systems online and restore functionality as quickly and safely as possible, including electronic health records….” We know that, after the attack, many clinicians were unable to access medical records, and patient access to the MyChart portal was impacted.

Why it matters: There are no details on whether there has been a data breach of PHI – CommonSpirit says a forensic investigation is ongoing. But the news reports provide a clear picture of the operational impact that occurs in response to a ransomware attack – IT systems and applications have to be taken down to contain the impact or spread of the attack.

Security risk analysis and business continuity planning. A business continuity plan prepares your organization to respond quickly with temporary procedures and measures to continue key operational tasks and get systems back online as quickly as possible.

What to do: Identify and prioritize tasks that include but are not limited to electronic medical records (scheduling, documentation, orders, medications, and communication), communication, payroll, billing, collections, and food and supply ordering.

Every critical task must be reviewed to minimize patient risk. For example: a new medication order. What steps are now needed to get a new medication order from the physician to the bedside? Will human runners be needed? How and who will review, transcribe, and double check orders to prevent errors?

Email – don’t under estimate its impact. Business continuity takes a hit when email is inaccessible. Is your inbox your de facto “to do” list? Imagine how you are going to be able to tackle routine tasks without access to your inbox. Don’t overlook other email folders, as well as the inability to communicate by email for at least a couple of weeks if not longer….


STG Signature 2021





Topics: HIPAA, security, compliance

    Privacy Policy           Terms of Use