Attack on Shared IT Supplier Affects 5 Hospitals in OntarioNonemergency Patients Asked to Cancel or Reschedule Appointments During Outage
A cyberattack on a shared IT services organization is forcing five member hospitals in Ontario to cancel or reschedule patient appointments and steer nonemergency patients to other facilities.
See Also: Healthcare Sector Threat Brief
Attacks against third-party vendors are rising and while many regional hospitals have focused on disaster preparedness for events such as floods and hurricanes, they have not adequately prepared for a major cyber disruption, some experts said.
"Perhaps we need to think more broadly about this - particularly if we have common IT vendors or service providers used by many organizations within the same region," said Jon Moore, chief risk officer at privacy and security consultancy Clearwater.
TransForm Shared Services Organization in a statement Monday said it was experiencing "a systems outage including email." Later in the day, TransForm updated the statement to say that it had determined that its member hospitals are experiencing a cyberattack.
"Unfortunately, this incident is impacting their provision of care in various ways. For those patients who have care scheduled in the next few days, the hospitals will contact you directly, if possible, to reschedule or provide alternate arrangements," TransForm said in the updated statement.
"We are investigating the cause and scope of incident, including whether any patient information was affected. Our investigation is ongoing."
TransForm, a local nonprofit organization founded by the five hospitals affected by the cyberattack, runs IT and clinical systems, supply chain and accounts payables of those entities.
The five member hospitals are Bluewater Health, Chatham-Kent Health Alliance, Erie Shores HealthCare, Hôtel-Dieu Grace Healthcare and Windsor Regional Hospital. Those hospitals are located in the Erie St. Clair region in southwestern Ontario and represent half of about 10 hospitals based in the area.
The hospitals in a joint statement on Monday asked patients who do not need emergency care "to attend your primary care provider or local clinic to reduce the impact upon the hospitals as we work towards addressing these issues and focus on those needing hospital care."
When an IT service vendor providing services to multiple hospitals within regional proximity is affected by a cyber incident, the situation can become life-threatening to patients, said Keith Fricke, partner and principal consultant at privacy and security firm twSecurity.
This is because there are fewer - if any other - facilities nearby where emergency patients can be diverted or transferred to receive care, he said.
Other aspects of a cyber incident become more complicated when a major regional IT services supplier is attacked, Moore said.
"This scenario has several added risks," he said. "Essentially, an attack on one hospital becomes an attack on all because of the common IT provider. The attack may also spread faster. If there are interconnections between systems within the group of hospitals, this can facilitate the spread of an attack," he said.
Recovery also can be more challenging and time-consuming because of the complexity across multiple operations, resulting in delays in bringing systems back up and potential gaps in services, Moore said. "How do you prioritize recovery across the different hospital systems? Of course, patient safety is the biggest concern and risk; with multiple hospitals in the same relative geographical area impacted, there will be an additional burden on emergency services at any remaining facilities."
Also, patients who face delays in appointments, tests and other services may experience negative health impacts due to lack of treatment, he said.
The five Canadian hospitals that are dealing with the TransForm incident are among the latest to be affected by a cyberattack affecting multiple hospitals in a region.
Last weekend, HealthAlliance Hospital and Margaretville Hospital in Ulster County, New York, temporarily diverted ambulances to other area facilities as the two-hospital group also responded to a cyberattack.
The two hospitals have resumed accepting emergency room patients transported by ambulances and are providing other services, but they said in a statement Monday that they are still working to restore full IT operations.
In August, a cyberattack affected Singing River Health System, which serves the Mississippi Gulf Coast. That incident forced the system's three hospitals to take their IT systems offline for several days and resort to paper charting and other manual processes for patient care (see: Mississippi Hospital System Still Struggling With Attack).
Experts said cyber incidents affecting multiple hospitals in a geographical region - including those serviced by the same IT providers - spotlight the importance of thorough vendor risk management and business continuity planning.
"This might not be as uncommon as one might think. Often, organizations are sharing information on the tools and vendors they use, and decision-makers trust the recommendations of their peers at other organizations," Moore said.
"Given this level of risk and the potential impact, a more rigorous and active approach to managing risk should be applied to this vendor than might normally be applied to less risky service providers," he said.
With most traditional vendors, each customer is on its own to decide and invest in vendor risk management. In circumstance such as TransForm, where the providers have come together to create or select the same common vendor, "then there is also an opportunity for them to share the cost associated with the management of risk, including third-party assessments and testing of the security program," Moore said.
"This governance and shared security responsibility should be planned and documented as part of the development of the service arrangement."
When multiple hospitals in a geographical region depend on shared, critical IT suppliers, extra consideration must be given to disaster planning and business continuity plans, Fricke said.
For example, business continuity plans should include establishing business relationships with alternate vendors able to provide services if the primary vendor is unable to deliver services or support products, he said.
Also, "hospitals should expect the shared services vendor to have its own disaster recovery and business continuity plans - testing and updating them regularly," he said.
The hospitals also should review their own cyber insurance policies to understand what claims will be paid in this situation, Fricke said. Finally, "hospitals should require the shared services vendor to have cyber insurance and understand if the vendor's policy has enough coverage to handle claims from the hospitals subscribing to its services."
TransForm and the Ontario hospitals affected by the cyberattack did not immediately respond to Information Security Media Group's requests for comment and additional details about the incident.