Fraud Management & Cybercrime , Governance & Risk Management , Healthcare

Thanksgiving Day Attack on Ardent Health Serving Leftovers

Did Ransomware Attack on Regional Hospital Chain Involve a Citrix Bleed Exploit?
Thanksgiving Day Attack on Ardent Health Serving Leftovers
Hackensack Meridian Mountainside Medical Center in Montclair, New Jersey is among the Ardent Health hospitals still affected by a Thanksgiving Day ransomware attack. (Image: Hackensack Meridian Health)

Patient services - including emergency care and telehealth appointments - are still affected at dozens of hospitals and other care facilities in several states operated by Ardent Health Services as the Tennessee-based organization continues to respond to a Thanksgiving Day ransomware attack.

See Also: Critical Condition: How Qilin Ransomware Endangers Healthcare

Among the many facilities still affected are two New Jersey hospitals that are part of a joint venture between Ardent Health and Hackensack Meridian Health - Hackensack Meridian Mountainside Medical Center in Montclair and Hackensack Meridian Pascack Valley Medical Center in Westwood.

"Effective noon today, Mountainside has moved to critical care divert, asking local ambulance services to transport critical patients to other area ERs. Ambulance units are able to bring noncritical patients to the hospital. Pascack Valley Medical Center remains on full divert," a Hackensack Meridian Health spokeswoman told Information Security Media Group on Tuesday.

"As we work to bring our systems back online, each hospital will continue to evaluate its ability to safely care for critically ill patients in its emergency room," she said. "Because this is rapidly changing and dependent upon a number of factors, we will continue to update our status as the situation changes. Both hospitals are continuing to provide a medical screening exam and stabilizing care to any patients arriving at our emergency departments."

Hackensack Meridian is directly contacting any patient whose appointment or procedure needs to be rescheduled, she added.

Hackensack Meridian Health has several other hospitals and care facilities in New Jersey that are not part of its Ardent Health joint venture. Those locations have not been affected by the Ardent Health ransomware attack, as they are hosted on a separate network, the Hackensack Meridian spokeswoman said.

Regional Issues

A larger hospital operator, Catholic nonprofit chain CommonSpirit, last fall dealt with a similar situation during a ransomware attack that affected IT systems at some but not all of its facilities. The location and the connection to a hospital IT system associated with a previous ownership entity were two major factors in the attack (see: CommonSpirit's Ransomware Incident Taking Toll on Patients).

Although much smaller than CommonSpirit, which has 140 hospitals and 2,200 other care facilities, Ardent Health also has grown its 30 hospital and 200-plus other healthcare holdings through multiple acquisitions and joint partnerships over the last two decades.

Other Ardent Health hospitals affected by the ransomware attack include several University of Texas - or UT Health - facilities that Ardent Health operates in Texas, as well as multiple hospitals and other medical care facilities in Oklahoma, Kansas, Idaho and New Mexico.

Each hospital or system has a unique set of technologies, applications and legacy equipment, said Wendell Bobst, senior security consultant at twSecurity. In the Ardent situation, it so far appears that part of the entity's network was breached, leaving some hospitals in other areas or regions unaffected, he said.

"It is common for IT to centralize or regionalize IT services and one of these regional centers appears to have been hit," he said. "Because Ardent is a larger system, we have higher expectations for having a mature set of practices and technologies. Fortunately, it seems that Ardent has some internal controls that have prevented the spread of ransomware to other regions," he said.

The Ardent Health incident is also the latest in a string of cyberattacks targeting operators of regional hospitals in recent months.

IT services provider TransForm Shared Services and its five member hospitals in Ontario are still working to fully recover from a ransomware attack in October that forced the entities to take their IT systems offline and divert patients to other area facilities (see: Ontario Hospitals Expect Monthlong Ransomware Recovery).

Also, during the summer, Prospect Medical Holdings, which is based in California but operates 17 regional hospitals and clinics in several states, and Singing River Health System, which has three hospitals and multiple medical facilities serving the Mississippi Gulf Coast region, each suffered ransomware attacks that disrupted patient care delivery for weeks.

"Ransomware attacks on hospitals represent a very real risk to patients, especially when ambulances need to be diverted to the next nearest hospital," said Brett Callow, a threat analyst at security firm Emsisoft. "Unless we find a way to better protect our hospitals, it's inevitable that an attack will result in a loss of life. The fact that that seems not to have happened to date is partly due to luck, and that luck will eventually run out."

Thanksgiving Day Attack

Ardent Health on Monday confirmed that it has been dealing with a cyberattack since Thanksgiving morning (see: Hospital Chain Hit With Ransomware Attack).

Ardent Health said that in response, the organization took its network offline and suspended all user access to its information technology applications, including corporate servers, Epic electronic health record software, internet and clinical programs.

In the interim, Ardent Health said, the incident is resulting in "temporary disruption" to certain aspects of Ardent's clinical and financial operations and that in "an abundance of caution," its facilities are rescheduling some nonemergent, elective procedures and diverting some emergency room patients to other area hospitals until systems are back online.

Also affected are Ardent Health's MyChart patient portal and its on-demand video telehealth visits, which are temporarily unavailable. "Ardent teams are working around the clock to bring our systems back online and to establish a timeline for returning all applications to fully operational. At this time, we do not have a firm timeline for restoring full access," the entity said.

Ardent Health did not immediately respond to ISMG's request for additional details about the ransomware attack and the entity's recovery status.

Vulnerability Exploited?

Meanwhile, although Ardent Health has not publicly disclosed specifics involving its attack, the incident is among a number of unconfirmed IT outages across the country suspected by some security experts to involve exploitation of Citrix Bleed, a critical vulnerability affecting both NetScaler ADC and Gateway devices.

NetScaler on Oct. 10 issued a security alert and patch for CVE-2023-4966, a critical vulnerability also known as Citrix Bleed (see: Amid Citrix Bleed Exploits, NetScaler Warns: Kill Sessions).

Subsequently, both the U.S. Cybersecurity and Infrastructure Security Agency and Google Cloud's Mandiant threat intelligence unit reported attackers had been actively exploiting the flaw in the wild prior to the release of the patch.

"While it's not been confirmed, it's suspected that at least some these outages were tied to a known vulnerability found in certain Citrix servers," said Carter Groome, founder and CEO of consultancy First Health Advisory. "The company patched those flaws more than a month ago, but in healthcare, prompt patching is a difficult task."

The Ardent Health, Prospect Medical and similar recent healthcare sector cyberattacks "are par for the course in an environment where budgets are stretched too thin and hospitals lack the workforce and/or tools to quickly pivot address vulnerability, patch and remediate," Groome said.

"Not to mention, a large majority of health systems that lack the investments needed to assure cyber resiliency," he added.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.