MercyOne Des Moines Medical Center has shut down some of its information technology systems, including its electronic health records, after its parent organization faced an unspecified cybersecurity incident Monday.
The Des Moines hospital is among a number of undisclosed facilities affected by an "IT security incident" at CommonSpirit Health, one of MercyOne's parent companies. MercyOne has taken certain systems offline "as a precautionary step" after the incident, which is affecting other facilities in the region, spokesperson Adam Amdor said in a statement Tuesday.
"Our facilities are following existing protocols for system outages and taking steps to minimize the disruption," Amdor said.
It is unclear whether patient health information has been compromised by the incident.
MercyOne Des Moines officials also did not specify how the security incident was affecting patient care or other operations.
However, ambulances were diverted Monday from the hospital's emergency department to other medical facilities. UnityPoint Health-Des Moines officials confirmed Iowa Methodist Medical Center received five ambulances Monday that were diverted during "the short period of time" MercyOne was sending patients elsewhere.
UnityPoint Health Spokesperson Mark Tauscheck cautioned that was not an unusual request because all emergency departments in Des Moines work closely together, "especially in times when there is a need to divert patients based upon capacity and other variables."
The Omaha field office of the Federal Bureau of Investigations declined to comment, stating "as a matter of policy, the FBI does not confirm or deny the existence of investigations."
Other hospitals impacted by the cybersecurity incident
CHI Health locations in the Omaha area owned by CommonSpirit Health have also reported a similar IT security threat affecting electronic health records and other systems, prompting those systems to go offline, according to the Omaha World-Herald.
Health system officials did not specify how many other hospitals in the region may be affected. As one of the nation's largest health systems, Chicago-based CommonSpirit operates 140 hospitals and more than 1,500 other health care sites across 21 states.
Other CommonSpirit's facilities in Chattanooga, Tennessee, have also been impacted by a "hacking incident" that prompted the hospitals to reschedule procedures, other news outlets have reported.
The Iowa-based MercyOne was jointly operated by CommonSpirit and Trinity Health until earlier this year, when Trinity signed an agreement to become the sole owner of the Catholic health system that operates throughout Iowa.
However, MercyOne systems continued to use CommonSpirit Health technology as officials prepared to integrate into Trinity.
Cybersecurity threats grow nationwide
The IT security incident that CommonSpirit is experiencing could refer to a number of problems but comes at a time when federal officials are warning health care organizations about the dramatic increase in cybersecurity threats targeting the sector.
Over the past two decades, health care systems have expanded use of information technology and medical technology to increase efficiency and improve patient outcomes. The arrival of COVID-19 resulted in an even further acceleration of online systems as more staff worked from home or hospitals expanded remote services.
The increased reliance on network-connected technology also creates more opportunities for cybercriminals to exploit, said John Riggi, national adviser for cybersecurity and risk at the American Hospital Association.
Among these threats, federal officials are most concerned about bulk theft of private patient health information and ransomware attacks. These types of cybercrimes are a growing trend among many sectors nationwide, but attacks on health care organizations create a dire situation for patient safety, they say.
Ransomware attacks cripple key systems and prevent hospitals from accessing crucial data, hindering health care staff's ability to provide patient care, Riggi said. In some cases, hospitals have delayed cancer treatments, canceled surgeries and even diverted ambulances carrying trauma patients from the facility.
The troubles with ransomware, phishing
There were at least 168 ransomware attacks against health care organizations in 2020 and 2021, affecting more than 1,700 clinics, hospitals and other health care settings across the country, according to Pew Charitable Trusts.
These data breaches cost companies $4.24 million per incident on average, according to a report from IBM.
Once encrypted, these gangs demand hospitals pay a ransom to unlock its systems. They can also sell private health information on the dark web, which is in turn used for identify fraud and other types of fraud, Riggi said.
During the pandemic, officials at the American Hospital Association say hospitals faced a "dramatic increase" in the number of phishing campaigns directed toward the health care sector from cybercriminals.
In April, federal officials issued a warning about "an exceptionally aggressive" ransomware group targeting health care organizations. Among its victims was Ohio-based Memorial Health System, which experienced an attack in August 2021 that forced the health system to divert some emergency care patients to other facilities and cancel appointments.
"If their health care system or hospital has seen a high-impact attack ― whether it’s a small Critical Access Hospital or a large multi-state system ― it could take 3-4 weeks minimum to restore just their mission-critical systems," Riggi said.
Riggi travels the country advising health care facilities on cybersecurity, and will be in Des Moines speaking on this topic at the Iowa Hospital Association's annual meeting this week. He often advises hospitals to take all possible steps to prevent an attack, but if all defenses fail, officials should prepare solutions to enable staff to continue patient care with as little disruption as possible.
Michaela Ramm covers health care for the Des Moines Register. She can be reached at email@example.com, at (319) 339-7354 or on Twitter at @Michaela_Ramm.
This article originally appeared on Des Moines Register: MercyOne online systems shut down following 'IT security incident'