CommonSpirit EHRs are back online. 30ish days after it all started, what did we learn?
Today in health, it come spirit is back online. And I'm going to talk about what we learned. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health. I set up channels dedicated to keeping health it staff current and engaged. We want to thank our show sponsor shore investing in developing the next generation of health leaders.
Gordian dynamics, Quill health tau site nuance, Canon medical, and current health. Check them out at this week. health.com/today. All right. Hey, if you're looking for the interviews and action that we did at chime, you're going to want to subscribe to this week health community. We are dropping them over there this week. Health community is the green one. So if you search on any of your podcasts, listening,
, options, apple podcasts, Google podcasts, Spotify, look for the green one this week called the community. And we are publishing them over there. , great interviews. Look forward to getting your feedback as you listen to those. All right, I'm going to be another announcement. I'm going to be at the health conference starting on Sunday. I may or may not get today's shows out on Monday and Tuesday.
I hope to. But, , I cannot promise it a lot of travel and I'm technically on vacation. , Thursday, Friday this week. And in between the chime conference and the health conference. So I'm even recording this on my vacation. So don't tell All right. A common spirit. So Chicago based common spirit says the EHR in most of their markets are back up and running.
Following the ransomware attack that has plagued the health system in most, in recent weeks, most common spirit patients can now access their electronic medical record histories through their patient portals. While the health system is working to restore online appointment scheduling, it And a November 9th news release the nonprofit health system with more than 140 hospitals across 21
Started taking systems offline in early October after discovering the ransomware attack. Leading to canceled appointments and delayed procedures come in. Spirit says it continues to investigate. What, if any. Patient data has been affected by the incident. We care deeply about our patients and regret any challenges.
Or frustration, they may have experienced as a result of the incident. This statement Thank you to our patients, providers, staff, and partners. As we continue to navigate the response and restoration process. All right. , you know, what did we learn? Well, we didn't learn much, to be honest with you. , there's, there's things we can surmise, but we didn't learn much yet. Hopefully as we get further down the road, we will
Some insights as to what actually happened and, and be able to learn from Here's some things we can surmise. They weren't ready for this, this 30 day outage of the EHR is the same thing we saw at sky lakes. It's the same thing we saw at scripts. This is, , what happens when you are flat-footed. Right. 30 day outage of your EHR is when you are flat-footed you are not prepared for this kind of outage. So that's one thing we learned.
I think one of the things I have sort of extrapolated based on the, the systems that were down is I think this was merger related. I think the common spirit core. Was well-protected. But I think the, , acquired entities. , we're not as up to speed the acquisition process. Did not integrate their security processes, procedures, practices, tools.
, quick enough. I think that's one of the things that I've sort of surmised from the outside. Again, I don't know anything and I'm not talking to anybody. Who's who's giving me inside details on this. I'm just from the, from the articles that I've read. I am looking at it. Gone. You know what. The, ,
The health systems were generally Chi systems and systems that they had acquired. , I didn't see any of the core, common spirit health the original dignity. I didn't see any of those systems impacted. I could be wrong on that, but I'm pretty sure I'm accurate on that. So I think it's through acquisition. , one of the learnings we have to take away from this is when we're doing acquisitions. That, , we have to integrate our security practices as quickly as possible. I also think we should connect them that quickly.
Until we are. Sure, absolutely. Sure. That, , they are both systems are up to snuff. I don't care which one's the bigger and smaller. You shouldn't be connecting systems until you know that the other thing I will say is this could be an indication of how we set up our architecture moving forward, the network architecture.
And considering, you know, it's interesting. When I came into healthcare, we were in the process of flattening our network. , before we had a internal audit around our security and they said, no, no, no, don't flatten your network. Do the opposite. We were flattening our network because it simplified it. Right. It simplified our network, simplified our routing made things easier to manage and it reduced our costs.
The problem is it also made it easier to navigate the entire network for those who were attacking? And so we started doing the segmentation and then micro segmentation as required on our network. That same thing might still be required across our, , across our larger entities. We may want to consider having regional networks, , or some aspect of that, where we have segmentation.
, again, this is all to control the blast radius. If they get in. And they get through one hospital that's bad, but if they get to 2, 3, 4, 6, 8, 10, That's a lot worse, right? So we want to control the blast radius. If they get to one PC. Not a big deal. If they get to 10 PCs again, not that big a deal, but once they get into that data center,
Big deal. All right. So, , I, I did talk to some CEOs that they , CISO's That they are automating right now. And, , they're automating the shutdown of an individual machine. If the machine shows any kind of, of activity. That is out of the norm. They will shut down that machine. Oh, it's automated.
Nobody's touching it. It's like boom out. And I asked them, I'm like, you know, that's interesting because that's a far cry from what we would've done. Maybe. Four or five years. So maybe even three years Because we wouldn't want to upset the user of those systems and the process and the workflow that was going on on those systems.
And their comment to me was, you know, we were adjacent to a ransomware attack. We saw what it did to that house system and even the providers and what not, they understand what we are doing. We are being. , extra cautious. So if we see that on the one PC, we shut it down automatically, almost instantaneously.
, and quite frankly, they can't move that fast. If you're, if, if it's automated and it's shutting it down within seconds. They're generally not able to break out that quickly and you may have contained something. On the flip side, you might have a false positive. And it has inconvenienced. Some people.
And, but that's, that's the world that we live in, right. Inconvenience is the price of strong cybersecurity and making sure that you don't end up with a situation like this. I think it's interesting. I think we need to rethink. Our, , our approach to a lot of things. I also had a conversation with somebody.
About this concept of SIM jacking. And the fact that we, , in, in many cases still use our phone. As the source for dual factor authentication. Well, if you get SIM jacked, that dual factor authentication just goes through the, , it goes through the floor and now you, , you've opened up your system.
Regardless. They're not getting in that way yet. I mean, that's a sophisticated attack. It takes a little a. Takes a little work. To do that. , right now, we're still giving them credentials. Right. They're still sending out the, the, , phishing attacks and we are giving away credentials. They're getting in normally. But what we have to be looking for is that abnormal behavior, when it starts.
, I think the other thing I would ascertain from how this has sort of played out 140 hospitals, 21 But the number of hospitals that they did impact, they were in there for awhile. It's not like they got in on a Friday and they hatched this thing on Saturday. That's not what happened They spend a fair amount of time.
Trying to navigate that network and they were successful in navigating. , we think parts of those networks, again, we're not going to know the FBI will know, and others that do the deep forensics will know. , maybe they actually patched and attack at each one of the, , regional health system psychotic impacted. I'm not, I'm not entirely sure, but regardless we gave them the credentials they got in and then they were able to.
, move laterally and do the things that they normally do. The good news is, Hey, there were a stop gaps. There were firewalls. They shut it down before it got too far. , even if they were in there a long time, they were not able to get to some of the assets across this 140 hospital system. , the other thing is I, early on, we talked about this. It seemed like their communication was not well thought out. They may not have been doing.
, table tops. They may not have been including the whole organization in that process, but their communication was slow to get out there. There was a lot of uncertainty as to what was going on and whatnot. So again, it seems like they got caught. Flat-footed. , I love the fact that they hired Daniel. Barchie talked about that earlier this week. No one better.
I think he's a war time, CIO, , the kind of person you bring in when things. R, , and, , resolve under pressure. To, , put this thing back on the right track. I believe so. Again, , just trying to share some lessons that I think we can see from the outside. Hopefully you can take some of those things, apply them to your health system.
, to make sure we're not reading about your health system a little bit down the road. All right. That's all for today. If you know of someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week out.com or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher.
You get the picture. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. Gordian dynamics, Quill health. So site nuance, Canon medical, and 📍 current health. Check them out at this week. health.com/today. Thanks for listening. That's all for now.