OMAHA, Neb. (KMTV) — Wednesday, CHI Health and CommonSpirit confirmed their IT issues are a result of a ransomware attack.
But, there's plenty of unknowns, including if data has been compromised and when the ransomware attack might have been introduced.
We contacted CHI to get more information.
Thursday we asked CHI a series of questions. In response, they said a statement they sent out Wednesday afternoon answers most of them. Below are the questions and their answers.
What is the timeline in which CHI and CommonSpirit believed it to be a ransomware attack and thus took down the systems?
"As previously shared, upon discovering the ransomware attack, we took immediate steps to protect our systems, contain the incident, begin an investigation, and ensure continuity of care," a CHI spokesperson said in an email.
Was data compromised?
"We continue to conduct a thorough forensics investigation and review of our systems and will also seek to determine if there are any data impacts as part of that process," they said in an email.
What updates are being given to patients, including ones who may not have an appointment scheduled but may still be worried their data is compromised?
"Patients who currently have appointments scheduled with us are being contacted on a case by case basis to reschedule or delay certain procedures. If patients do not currently have appointments scheduled but need assistance with prescriptions, they are asked to please call the CHI Health pharmacy location they use and speak with a pharmacist for assistance. If a patient is out of refills for a medication, the patient should contact their pharmacy first and the pharmacy will contact the prescriber to obtain a new prescription with additional refills. CHI Health providers have the ability to write new prescriptions for patients who may require a new medicine," the email stated.
They did not answer if there is a ransom demand.
The head of engineering of Check Point, a cybersecurity firm, say it's expected that companies would be tight-lipped about the situations like this, as told by their insurance company.
"When an incident happens like that and you have a cybersecurity (insurance) policy in place, the cyber insurance organization in almost all cases, has contractual obligations that the policy holder has to follow," said Joel Hollenbeck of Check Point, "and that requires very very closely guarded secrets around disclosure in what's going on."
He believes given the time that has elapsed since the outage first began at least 10 days ago is one indicator of a major cybersecurity incident.
CommonSpirit says it serves 20 million people across the country.
How long could an outage last?
Hollenbeck and Chris Parker, operations manager at local tech company Schrock Industries, each said outages like CHI is experiencing now can last a couple weeks.
But Hollenbeck said often, from an IT perspective, “things linger” within systems. It can take six months to a year to fully recover, he said.
When you have to turn over data, is there anything you can do to protect it?
Parker said that’s a “tough one.”
“You depend on that business to take care of that,” he said.
But he said people aren’t powerless. They can take steps like watch transactions and credit activity. Also, regularly change passwords and security questions. While Hollenbeck and Parker said medical data is a hot target from bad actors, individuals are, of course, at risk of compromising their own data as well, and should keep their personal devices safe.
Are companies up to speed on cybersecurity?
Hollenbeck says it’s not unique to health care: “Most organizations … have not fully embraced a culture of cybersecurity, which is what is required in order to be able to have the best chance of surviving this.”
But Parker said, “The likelihood of bumping into essentially a new ransomware software for the first time is much higher than it was before.”
He said new viruses are being created “incredibly fast,” so antivirus software based on a list of known viruses are having more difficulty keeping up. He said newer software uses machine learning to recognize patterns and block viruses.
He also said increased work from home is making virus protection more difficult.
“Once you take work home,” Parker said, “once you're remotely accessing that software, you're depending on your employees to protect that using antivirus systems.”
A recent settlement
Earlier this month a Baltimore-based health system, Life Bridge, agreed to a settlement of $9.5 million after detecting malware 18 months after it was introduced, Hollenbeck said.
That impacted about half a million people.