Ascension this week made two follow-up announcements around the Black Basta ransomware attack that forced the non-profit healthcare provider to shut down its systems across 142 hospitals and 40 senior facilities in early May and resort to filling out charts on paper.
On June 12 Ascension said attackers stole files that may contain the protected health information (PHI) and personally identifiable information (PII) of patients. Ascension said an employee working in one of its facilities accidentally downloaded a malicious file that they thought was legitimate.
“We have no reason to believe this was anything but an honest mistake,” said the non-profit.
…
Ashley Leonard, founder and CEO of Syxsense, pointed out that there are two important differences in Ascension’s response versus the response from United Healthcare after the Change Healthcare incident earlier this year.
Leonard said Ascension’s latest posts demonstrated a clear difference in culture. Ascension framed the latest details as an employee’s inadvertent role in the cyberattack. This lack of blame put on the employee (at least externally) is quite different than former cyberattacks, for example SolarWinds, where CISO Tim Brown still faces legal charges from the 2020 incident.
“The truth is simply that humans make mistakes,” said Leonard. “To pressure IT and security staff to be perfect 100% of the time is simply not a strategy.”
Read the full article on SC Magazine to find out Ashley’s second critical difference between Ascension Health and Change Healthcare.
