The Ascension ransomware attack likely began through an initial access vector, such as a phishing email or exploitation of a software vulnerability, which allowed the Black Basta group to gain a foothold in the health system's network.3 Attackers often use techniques like spear-phishing to trick employees into revealing login credentials or downloading malware, enabling unauthorized access to the organization's systems.1

Once inside the network, the attackers likely conducted reconnaissance to identify vulnerabilities and high-value targets, such as servers housing sensitive data or critical systems.2 Common weaknesses that may have permitted the attack to progress include unpatched software, misconfigured security settings, and inadequate network segmentation.4

The attackers then deployed the ransomware payload, which encrypted files and systems across Ascension's network, rendering them inaccessible.3 The rapid spread of the ransomware suggests that the health system may have lacked sufficient controls to detect and contain the malware before it caused widespread damage.5

Other potential factors that could have contributed to the attack's success include:

• Insufficient employee training on identifying and reporting phishing attempts1

• Lack of multi-factor authentication to prevent unauthorized access4

• Inadequate backup and recovery processes to restore systems without paying the ransom2

• Limited visibility into network activity to detect and respond to suspicious behavior5

The Ascension incident highlights the importance of a multi-layered approach to cybersecurity, addressing both technical vulnerabilities and human factors to minimize the risk of successful ransomware attacks.4 Regular security assessments, timely patching, and well-rehearsed incident response plans are crucial for detecting and mitigating threats before they cause significant disruption to healthcare operations and patient care.35

The Ascension ransomware attack had a profound impact on the health system's operations, patient care delivery, and the well-being of healthcare workers. The cyberattack forced Ascension to take critical systems offline, including its electronic health record (EHR) system, patient portal, phone systems, and various tools used for ordering tests, procedures, and medications.3 This disruption necessitated a shift to manual, paper-based processes, leading to significant challenges and delays in providing care.4

Patients experienced longer wait times, postponed appointments, and difficulties in accessing their medical records and communicating with providers.4 In some cases, ambulances were diverted to other hospitals to ensure emergency cases could be triaged immediately.13 Nurses and doctors struggled to keep track of patient information, medication orders, and test results, relying on handwritten notes and fax machines to coordinate care.11

The lack of access to EHRs and the need to manually document patient information increased the risk of errors and compromised patient safety.7 Healthcare workers reported instances of nearly administering incorrect medications due to the absence of electronic safeguards.7 The disruption also led to delays in receiving critical test results and medical images, hindering timely diagnosis and treatment decisions.4

Ascension employees described the situation as "pure and utter chaos," with the attack taking a significant toll on their well-being and ability to provide quality care.7 Nurses expressed concerns about the impact on patient safety and their own nursing licenses, as the usual safety checks and protocols were compromised.7 The increased workload and stress caused by the cyberattack exacerbated existing staffing challenges and raised fears of burnout among healthcare workers.11

The financial impact of the ransomware attack is expected to be substantial, with Ascension likely facing costs associated with system restoration, legal liabilities, and potential regulatory fines.10 Several class-action lawsuits have already been filed against Ascension, alleging that the health system failed to adequately protect patient data.510

The Ascension incident highlights the far-reaching consequences of ransomware attacks on healthcare organizations, underscoring the urgent need for robust cybersecurity measures and well-rehearsed incident response plans.13 As the healthcare sector continues to grapple with the growing threat of cyberattacks, the lessons learned from the Ascension breach will be crucial in shaping future strategies to safeguard patient care and data security.18

Ascension engaged leading cybersecurity firms, including Mandiant, Palo Alto Networks Unit 42, and CYPFER, to assist in the investigation and remediation efforts.1 The health system also notified the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) about the incident.2

Ascension launched dedicated websites to provide updates on the cyberattack and the operational status of its facilities.3 While working to restore systems safely, the organization has not provided a timeline for full recovery due to the complexity of the incident.1 Ascension pledged to notify and support any individuals whose sensitive information may have been compromised, in accordance with regulatory and legal guidelines.2

Federal agencies played a crucial role in supporting Ascension's response to the ransomware attack and issuing guidance to the broader healthcare sector. The FBI, Cybersecurity and Infrastructure Security Agency (CISA), and the Department of Health and Human Services (HHS) were notified about the incident and worked closely with Ascension throughout the investigation and recovery process.315

The FBI and CISA issued a joint advisory warning about the Black Basta ransomware group, believed to be responsible for the Ascension attack, providing technical details and mitigation recommendations for healthcare organizations.1516 The advisory aimed to help the industry bolster its defenses against the emerging threat posed by Black Basta.15

HHS released a statement acknowledging the Ascension cyberattack and emphasizing its commitment to understanding the health system's efforts to restore operations and protect patient information.14 The agency's involvement underscores the severity of the incident and its potential impact on patient care and data security.

The American Hospital Association (AHA) and the Health Information Sharing and Analysis Center (H-ISAC) also played essential roles in disseminating threat intelligence and best practices to their member hospitals.15 Ascension shared relevant threat information with H-ISAC to help industry peers take proactive measures to defend against similar attacks.15

Furthermore, the White House confirmed the involvement of several federal agencies in Ascension's recovery efforts, highlighting the coordinated response at the national level.10 In light of the increasing frequency and severity of ransomware attacks targeting healthcare, HHS announced a $50 million investment in a cybersecurity initiative to develop tools to help hospitals better protect themselves against such threats.4

The collaboration between Ascension, federal agencies, and industry organizations demonstrates the importance of a unified approach in combating the growing threat of ransomware in the healthcare sector. The lessons learned from the Ascension incident will likely shape future policies and initiatives aimed at strengthening the cybersecurity posture of the nation's critical healthcare infrastructure.1318

The decision to pay a ransom in a ransomware attack is a complex and controversial issue. While paying the ransom may seem like the quickest way to restore operations and prevent data leaks, it comes with significant risks and ethical concerns.

According to recent data from Coveware, a ransomware remediation firm, the percentage of ransomware victims choosing to pay the ransom has fallen to a record low. In Q1 2019, more than 80% of victims paid the ransom, but this dropped to just 28% in Q1 2024.1 Several factors have contributed to this decline, including better preparedness, more advanced protective measures, legal pressure not to give in to demands, and growing distrust of ransomware groups.1

There have been increasing instances of ransomware groups continuing to leak data or trade stolen information with other groups even after receiving payment.1 For example, in the recent Blackcat ransomware attack on Change Healthcare, the operators pocketed the $22 million ransom but did not pay the affiliate, who then switched to the RansomHub group and started leaking the data to pressure the victim into paying another ransom.1

Law enforcement agencies generally advise against paying ransoms, as it encourages attackers and funds further criminal activities.3 Paying a ransom does not guarantee that the stolen data will be deleted or that systems will be restored.2 In fact, in Q3 2023, only 26% of victims who faced data theft paid the ransom, suggesting growing skepticism about the trustworthiness of ransomware groups.2

Some governments are considering banning ransom payments to curb attacks. However, Coveware suggests this could backfire, leading companies to stop reporting attacks and hindering law enforcement investigations.2 A ban could also create a large illegal market for ransom payments.2

Instead of relying on ransom payments, organizations should focus on preventive measures and incident response planning. This includes maintaining secure backups, implementing multi-factor authentication, educating employees about phishing and social engineering tactics, and having a well-rehearsed plan for detecting, containing, and recovering from attacks.3

While the decision to pay a ransom ultimately depends on the specific circumstances and potential consequences for the victim, the declining trend in ransom payments suggests that more organizations are choosing to invest in cybersecurity defenses and recovery capabilities rather than giving in to attackers' demands. As Coveware notes, the fight against ransomware is winnable, but it will require sustained efforts from organizations, law enforcement, and policymakers to turn the tide against this growing threat.2

Paying a ransom to cybercriminals in a ransomware attack can have serious legal consequences for organizations. While there are currently no explicit federal laws prohibiting ransom payments, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) considers such payments a type of transaction that may violate the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) if the attackers are linked to sanctioned entities or embargoed countries.34

Sanctions violations can result in hefty civil penalties, fines, or settlements, and in some cases, even criminal charges if the government believes the organization's actions were criminally negligent.3 Notably, OFAC has stated that organizations can be held civilly liable even if they were unaware their ransom payment was illegal.3

In addition to federal regulations, some states have begun enacting laws that prohibit certain ransom payments.5 These state-level restrictions make it even more crucial for organizations to carefully consider the legal implications before deciding to pay a ransom.5

Paying a ransom may also raise ethical concerns, as it can be viewed as funding criminal groups or terrorist organizations.1 Furthermore, there is no guarantee that paying the ransom will result in the decryption of systems or the deletion of stolen data, and it may even encourage attackers to target the organization again in the future.24

To avoid potential legal and ethical pitfalls, organizations should focus on implementing robust cybersecurity measures, developing comprehensive incident response plans, and collaborating with law enforcement agencies in the event of a ransomware attack.12 Timely reporting of ransomware incidents to relevant authorities, such as the FBI and CISA, is mandatory and can help facilitate a coordinated response.3

The Ascension ransomware attack serves as a wake-up call for healthcare administrators, highlighting the critical importance of robust cybersecurity measures and well-rehearsed incident response plans. Several key lessons can be drawn from this incident to help healthcare organizations better prepare for and respond to future cyberattacks:

1. Prioritize cybersecurity investments: Healthcare organizations must allocate sufficient resources to strengthen their cybersecurity defenses, including implementing multi-factor authentication, regularly updating software and systems, and conducting frequent security audits.18 Investing in advanced threat detection and response capabilities can help identify and mitigate potential breaches before they cause significant damage.13

2. Develop and test incident response plans: Having a comprehensive incident response plan is crucial for minimizing the impact of a cyberattack. Healthcare administrators should ensure that their organizations have well-documented procedures for detecting, containing, and recovering from security incidents.18 Regular tabletop exercises and simulations can help identify gaps in the response process and improve the organization's overall resilience.13

3. Provide regular cybersecurity training: Employees play a critical role in maintaining an organization's cybersecurity posture. Healthcare administrators should prioritize regular cybersecurity awareness training for all staff members, focusing on topics such as identifying phishing attempts, secure password practices, and reporting suspicious activities.16 A well-informed workforce can serve as the first line of defense against cyber threats.13

4. Establish clear communication channels: During a cyberattack, effective communication is essential for maintaining patient trust and minimizing confusion. Healthcare administrators should develop clear communication protocols for informing patients, staff, and the public about the incident and the steps being taken to address it.6 Transparency and timely updates can help mitigate the reputational damage associated with a breach.3

5. Collaborate with industry peers and government agencies: The Ascension incident underscores the importance of information sharing and collaboration within the healthcare sector. Administrators should actively participate in industry forums, such as the Health Information Sharing and Analysis Center (H-ISAC), to exchange threat intelligence and best practices.15 Establishing strong relationships with federal agencies, such as the FBI and CISA, can also facilitate a more effective response to cyberattacks.14

6. Regularly backup and test data restoration processes: Maintaining regular, secure backups of critical data and systems is essential for ensuring a swift recovery from a ransomware attack. Healthcare administrators should implement a robust backup strategy and regularly test their data restoration processes to minimize downtime and data loss in the event of an incident.19

By incorporating these lessons into their cybersecurity strategies, healthcare administrators can better position their organizations to prevent, detect, and respond to the growing threat of ransomware attacks. As the Ascension incident demonstrates, the consequences of a successful breach can be far-reaching, impacting patient care, staff well-being, and the organization's reputation and financial stability.10 Proactive measures and a commitment to continuous improvement are essential for safeguarding the healthcare sector against the evolving cyber threat landscape.18

The Change Healthcare cyberattack offers several critical lessons for healthcare organizations to strengthen their cybersecurity posture and resilience:

1. Conduct comprehensive risk assessments: Healthcare providers should regularly assess their cybersecurity threats and vulnerabilities using a risk-based approach. This includes evaluating internal controls, aligning with industry frameworks, and partnering with cybersecurity experts to identify and address unique challenges.1

2. Prioritize business continuity and disaster recovery (BCDR) planning: Robust BCDR plans are essential for minimizing the impact of cyberattacks on operations and patient care. Organizations should develop, test, and update these plans to ensure timely and effective incident response.3

3. Manage third-party risks: The attack underscores the importance of thorough vendor risk management, as vulnerabilities in third-party systems can have far-reaching consequences. Healthcare organizations must carefully assess and monitor the security practices of their vendors and partners.5

4. Invest in network security and access controls: Implementing strong network security measures, such as multi-factor authentication, network segmentation, and regular patching, can help prevent unauthorized access and limit the spread of malware.15

5. Enhance threat detection and response capabilities: Healthcare providers should invest in advanced threat detection tools and incident response expertise to quickly identify and contain potential breaches. Collaborating with industry peers and government agencies can facilitate information sharing and coordinated response efforts.45

6. Develop clear crisis communication plans: Effective communication during a cyberattack is crucial for maintaining patient trust and minimizing reputational damage. Organizations should establish protocols for timely, transparent updates to stakeholders, leveraging various channels, including social media.4

7. Prioritize employee training and awareness: Regular cybersecurity training for all staff members is essential for fostering a culture of security awareness. Employees should be educated on identifying phishing attempts, reporting suspicious activities, and following secure practices.15

By incorporating these lessons into their cybersecurity strategies, healthcare organizations can enhance their resilience against the growing threat of cyberattacks, safeguarding patient data, ensuring continuity of care, and protecting their reputation and financial stability.135

Ascension has created a dedicated website to provide updates and information about the ransomware attack that affected its operations.1 The website, https://about.ascension.org/en/cybersecurity-event, serves as a central resource for patients, employees, and the public to stay informed about the health system's response and recovery efforts in the wake of the cyberattack.1 By establishing a clear communication channel, Ascension aims to maintain transparency and minimize confusion as it works to restore systems and ensure the continuity of patient care.1