"While CommonSpirit declined to share specifics, a person familiar with its remediation efforts confirmed to NBC News that it had sustained a ransomware attack."
What we know thus far and my so what.
Today in health, it, we take a look at the common spirit outage. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health. I set up channels dedicated to keeping health it staff current. And engaged. We want to thank our show sponsors who are investing in developing the next generation of health leaders, Gordian dynamics, Quill health tau site nuance, Canon medical, and current
Check them out at this week. health.com/today. All right. So a couple of notes before I get into this, I've received a fair number of calls. Do I know anything about this outage? And I only know when I'm reading. In the articles that you are reading. Okay. , and so before I go into this, I want to make that perfectly clear. I have no inside knowledge here. Some of the stuff I'm going to be talking about.
I will try to identify as this is my speculation based on what we are reading. So that's why that's one of the things I want to make clear from the get-go. , the second thing is. I used to write these things out. I used to write my today, show out from beginning to end. And I don't do that so much anymore. I do this more like a conversation with you as I'm reading the story.
So a little different approach. , maybe a little less polished. Then, , you know, sometimes my, my thoughts don't come together as well as I would like. Maybe I should write But, , but I sorta like this, this conversation dialogue that we are having. Through the today show. All right. So let me start with.
The news stories. So I will go first. Uh, NBC news story. Let's go there. And ransomware attack delays, patient care at hospitals across the U S C H I Memorial hospital in Tennessee, some St. Luke's hospitals in Texas and Virginia Mason Franciscan health. In Seattle all have announced that they were affected.
Okay. So the first thing you're going to take from this, or I'm going to take from this is, this is something that is systemic, right? There's something at the core of this, this didn't happen at each individual hospital. It likely didn't happen. At each individual hospital, it's something that's systemic.
Uh, from the, , the core network now understand this, this is common spirit. Is really the combination of a couple of organizations, but the primary ones at this point are common spirit. Or, or old dignity. And Chi. So you have those two entities and Chi was big and common spirit respect. They came together.
As, as one entity. Uh, it would appear from this. And I don't know the origins of each one of these hospitals with Chi Memorial. Is definitely Franciscan. Uh, Virginia Mason Franciscan is probably one of those external entities as well. St. Luke's I'm not sure in Texas, but, , I would think that that St Luke's hospital in Texas is part of Chi as well. So if I were a betting, man, I would say this is emanating from the Chi.
Portion of the organization anyway. One of the largest hospital chains in the us was hit by a suspected ransomware attack. This week, leading to delayed surgeries holds up, hold up in patient care and rescheduling doctor appointments, cross country, common spirit health ranked as the fourth largest health system in the country.
Bye Becker's and I know Becker's was doing the rankings, but they do publish them. So. , I said Tuesday that it has experienced in the it security issue that forced it to take certain systems offline. While common spirit declined to share specifics, a person familiar with the remediation efforts, confirm to NBC that it had sustained a ransomware attack.
So, if you're wondering, this is what you know, NBC is confirming. It's ransomware. We think it's ransomware. , so anyway, that's what we're looking at. Common spirit, which has more than 140 hospitals across the us. Also declined to share information on how many of the facilities were experiencing delays.
Multiple hospitals, however, including Chi. Uh, the ones I just mentioned. , Chi Memorial hospital in Tennessee. St. Luke's hospital in Texas, Virginia Mason, Franciscan, and Seattle have all announced. They were affected one Texas woman who spoke to NBC news. This is where they start to talk about.
, you know, delays in care and that kind of stuff, which we know happens in a ransomware attack. , let's see. Ransomware attacks on health chains are relatively common. And have frequent part of have been a frequent part of us medical system for more than two years. True. True. , To date. There are only one documented instance in which an American has publicly claimed that ransomware directly led to a patient's death.
An Alabama woman sued her hospital in 2020 after her baby was born. With severe brain injury and died after her hospital. Was hit by ransomware attack. So this is becoming a patient safety issue. In fact, we're going to talk about that specific item on an upcoming webinar. I'm not going to plug that webinar right now, but, , just check out our website. I think it's not this one. We have one this Thursday. It's not that one.
It's the one, following that we're going to talk about a ransomware as a patient safety. Issue. All right. So , that's the story. That's what we know.
All right, let me see what else I can find out here. Here's a us news and world report. Also changed. Seattle Tennessee, Texas fourth largest health system. They're pretty much just taking the Newswire at least 15 healthcare companies representing 61 hospitals have had ransomware attacks.
Yeah. So nothing new in that one. , they are keeping a tight lid on this and for good reason. , And. At this point, you probably have the, federal agencies already involved. And so they may or may not be able to talk about some of these , daily mail, common spirit attack that one's two hours old. Maybe they have some more information.
, do not reveal how many patients were affected. The firm was struck by ransomware attack last week, which delayed some care around 20 million American health records could have been affected. The hospital system is describing the attack as an it security issue. So those are the main things that daily mail has, which really
It doesn't tell us much. , they do have a map here of all the different locations. They're in just about every region. So no additional information there.
All right. And then the last story I'll cover. Th I want, I'm only covering this one cause it's just it. I don't understand it. So, , Becker's. , they make this observation, cause it's not really a story. It's more of an observation than anything. And it's an accurate observation. It's just, It just sort of stands alone. It doesn't make sense to me. Tech exact left common spirit before it upheaval.
Okay. At least five, it executives exited common spirit health in the months leading up to an I T security incident that began disrupting care in early October, including the chief digital and information officer. Chicago based common spirit, which operates 140 hospitals and more than 1500 other healthcare sites in 21 states confirmed an it security issue to Becker's. On October 4th, the incident affected some facilities and common spirit took precautionary measures.
To minimize the disruption, which is ongoing. The executives exiting our Soulja. Shondra sectarian and you know, gums. So Nila, Levi.
victory. And Kumar. Mora Cathy MD. A couple of these left for what looks like greener pastures. , You know, just better roles. , others, to be honest with you, I think others left for various reasons, but the only reason I don't like this story is. It's it's. As I said, in my post today, it's post hoc ergo propter hoc after therefore, because of
There's no relation to this. They left there for this system broke. At least three of these shows, maybe four of them. Had nothing to do with the security posture.
You know, gums had nothing to do with the security posture. , Healthcare platform. Strategist may , vice president of digital products, probably not. Vice president of clinical applications, probably not. I mean, It's a stretch. D to say that these five people left there for the system was whatever. And only two of these people probably have any.
I idea of what was going on in security and it really only one of them was responsible for security. And again, if that person leaves and a couple of months later, the entire Sort of implodes. I don't understand this story. I'm not sure why this story was written. Other than to let people know that, Hey, a bunch of common spirit people left, , prior to the incident, which is really all it's titled. So I'm not entirely sure what it's about.
, so let me give you my SWAT. I try not to be too disparaging. Of, , healthcare organizations or executives, because it is one of the hardest jobs I've ever had in my entire life. The demands on the role are incredibly challenging. And , it's hard to pull off and people don't understand. The challenges that are in front of you, you're being asked to do a million things and oh, by the way, make sure that the systems run, that they never go down, that they are never compromised and oh, by
We need you to do all these new digital things on top of it. To reach the consumer and, , help the nurses and reduce the workload on them. Reduce documentation. , you name it there, isn't an aspect of the, of the healthcare organization that the CIO. It doesn't touch. So I hesitate to be disparaging in any way, shape
But I'm going to give you my, so what on this. Because, , I think there's, there's some warning signs that we want to avoid. , and the first one is M and a needs to be handled better in healthcare. , especially of this size, it needs to have a paper trail of security and operational risk. I will tell you I worked for a very good health system.
But when it came to doing due diligence before acquisitions, we were awful. And we did it. I would say like 90% of the stuff we did was exceptional. And when it came down to acquisitions and M and a type stuff, and we didn't do any major ones anymore. Massive ones. But even the minor ones that we It was sort of like, Hey, we're doing this. Can you guys take a look at it?
Like it wasn't even in the realm of possibility that this deal could be upset based on a security posture. Or an operational risk due to technology. Right now, granted, this was back in 20 13, 14, 15, 16. The world has changed pretty dramatically. , this deal, common spirit, , Chi came together I think 2019. The the reality here is when you have a deal of this size, bringing these two size organizations There needs to be a security and operational risk put together. And the reason I say this is, if they had done the operational and security due diligence on this thing, I have a feeling we would have a laundry list. I mean, it would have been an, an extensive list. Of things that needed to be taken care of. And if you were to prioritize the things, they would have been really high on the priority list. Like we need to take care
, the foundation, this is the foundational items, right? This isn't the, the stuff on the top. This isn't like, Hey, , are we going to consolidate the EHR or not? We have too many different EHR, so we're not even, we're not even at that level. We're talking about basic blocking and tackling on the network, on the storage, on the end-user compute level, we're talking the basic blocking and tackling of the system.
And they would have had a document that was 50 pages long. On things that needed to be remediated. And that document I believe should be created at the time of the MNA. And then the leadership and the board should be made aware of that. And they should be held accountable to it.
That's my personal take on that.
Again. I don't know anything about this breach or about this. , alleged ransomware event. But if I were projecting, I would say it's a ransomware event that originated somewhere in the Chi. Part of the platform. Somebody asked me on social media, , shouldn't this have been consolidated by now. It's been three
And the reality is, you know, Providence and St. Joe's came together. We were 16 hospital system, Providence St. Joe's came together. And that consolidation to it just finished. And th that happened in 2016 and it just finished in 2022. So, , give you an idea that took six years. And, , and there were two.
, you know, fairly well run it shops. You didn't have massive holes. I mean, we had audits done by Deloitte every year around our security and our operational risk and all that stuff. , so we weren't really outside the realm on that. So anyway. , so that's the first thing. The second thing is how systems can't be run by the CFO alone.
And I know somebody's going to quote me on that. And, , that's why I threw the last word in CFO's critical role is a key role, especially in today's day and age. So hard to run a financial operation at a health system, financial operation. , but the CFO cannot do it alone. They need help. And they need strategic help and they need technology , and operational health.
And they cannot make decisions in a vacuum based just on financials alone. So that's one of my, so what's , M and a, , is really important. And if you are, If you're just a system that's sitting there going, what else can I learn from this? I don't know what we can learn from this. Be honest with you. It's such such a tight lid on
At this point. , you know, we can learn the basics, which is, , the network is connected. It's all connected. If you think, Hey, we're a separate health system because we were part of this merger and at this timeframe, , you know, once they connect you up. There's a, there's a path, there's a path in my other, so what that I like to talk about is now people say it's not if, but when.
And while I agree, it's not if, but when that there is an attack and it's not, if, but when that they actually get in, , your job is to control the blast radius. As the CIO as the chief technology officer, as the chief information security officer, as the architect, if there is an architect, a lot of health systems don't have an architect per se, and you should.
There should be either an architectural team or an architect. , who is who's putting this whole thing together. , they need to control the blast radius. They need to prevent the horizontal movement across the network. They shouldn't be able to get in at one health system. , because it's just going to happen. Look, they are going to get in.
Right When you have a system of this size, especially when you have a hundred thousand plus employees, somebody is going to click on that email. Even if you have great software in place to prevent a lot of the emails to getting there, somebody's still going to click on the email. Someone who's going to reuse their password on another system or on a website that is essentially fishing for physicians, credentials, and whatnot. But your job is to know that is happening every day, a hundred thousand employees that's happening.
Somebody has credentials to get into your system. You have to be able to control the blast radius. So when they come in legitimately as a physician, into your network, how do you keep them from going outside of their boundaries? Right. That's what I mean by controlling the blast radius. So there's an awful lot of, so what's on this.
, we will hopefully learn more. As we move along,
the best scenario of what should happen is what happened at scripts. And maybe even sky lakes, medical center is as examples. , They shared within the community. They shared, Hey, here's what happened. Here's what the impact was. Here's what the financial impact was. Here's what, what the operational impact was.
Here's obviously here's what the clinical impact was. , they shared within the community what happened. And I hope that we see the same thing. Come out of this common spirit challenge. All right. That's all for today. If you know someone that might benefit from our channel, please forward them a note. They can subscribe on our website this
Dot com or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher, you get the picture. We are. Everywhere. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, Gordian dynamics, Quill health. Tau site nuance, Canon medical, and 📍 current
Check them out at this week. health.com/today. Thanks for listening. That's all for now.