Full Report
Three hospitals run by Catholic healthcare organization Covenant Health are dealing with a cyberattack that forced the facilities to shut off all access to data systems.
Analysis Summary
# Incident Report: Covenant Health Cyberattack Disrupts Hospital Operations
## Executive Summary
Covenant Health, a healthcare organization operating across several Northeastern US states, experienced a cyberattack beginning on May 26th, which led to the immediate shutdown of all data systems across its hospitals, clinics, and provider practices as a precautionary measure. The attack caused significant operational disruption, forcing hospitals to rely on manual, paper-based processes for services like lab work and resulting in patient wait time extensions. Cybersecurity experts were engaged to investigate and restore full system access.
## Incident Details
- **Discovery Date:** Monday, May 26
- **Incident Date:** On or about May 26 (date of awareness)
- **Affected Organization:** Covenant Health (operating hospitals in Maine: St. Joseph Hospital, St. Mary’s Health System; and New Hampshire: St. Joseph Hospital)
- **Sector:** Healthcare
- **Geography:** Maine, New Hampshire (organization operates across ME, MA, NH, PA, RI, VT)
## Timeline of Events
### Initial Access
- **Date/Time:** Prior to or on Monday, May 26 (Date of awareness)
- **Vector:** Not explicitly stated; implied access leading to system irregularities.
- **Details:** Covenant Health became aware of irregularities impacting connectivity across the organization.
### Lateral Movement
- **Details:** Not detailed in the description, but the scope of the impact suggests successful exploration across connected data systems.
### Data Exfiltration/Impact
- **Details:** The primary impact described is operational disruption due to system shutdown. Potential data compromise is unconfirmed but is a standard consideration in such incidents. Services affected include phones, internet access, and reliance on paper orders for lab services. Post-acute care facilities experienced "minimal impact" as they utilize a different clinical platform.
### Detection & Response
- **How it was discovered:** The organization became aware of "irregularities impacting connectivity."
- **Response actions taken:** Immediate discontinuation of access to all data systems across hospitals, clinics, and provider practices. Hired cybersecurity experts to investigate and restore access. Hospitals communicated outages to patients via websites and focused on maintaining essential care using manual, paper processes.
## Attack Methodology
- **Initial Access:** Unknown/Undisclosed.
- **Persistence:** Unknown/Undisclosed.
- **Privilege Escalation:** Unknown/Undisclosed.
- **Defense Evasion:** Unknown/Undisclosed.
- **Credential Access:** Unknown/Undisclosed.
- **Discovery:** Unknown/Undisclosed.
- **Lateral Movement:** Implied across networked clinical and administrative systems.
- **Collection:** Unknown/Undisclosed.
- **Exfiltration:** Unknown/Undisclosed.
- **Impact:** Disruption of IT systems leading to operational workarounds and service degradation.
## Impact Assessment
- **Financial:** Not disclosed.
- **Data Breach:** Unknown if data was exfiltrated, but system unavailability and the nature of the attack suggest potential exposure of patient or operational data.
- **Operational:** Significant service slowdowns at hospitals, increased wait times, inability to process electronic orders (requiring paper orders for labs). Minimal impact on post-acute care facilities.
- **Reputational:** Public notification required via hospital websites regarding extended wait times and service limitations.
## Indicators of Compromise
- **Network indicators:** Details not provided (e.g., specific malicious IPs or domains).
- **File indicators:** Details not provided.
- **Behavioral indicators:** Irregularities impacting network connectivity across the organization.
## Response Actions
- **Containment measures:** Immediate cessation of access to all data systems organization-wide as a precautionary measure.
- **Eradication steps:** Cybersecurity experts were engaged to determine the root cause and remediate the environment (details pending).
- **Recovery actions:** Working to restore full system access while continuing to provide healthcare services, encouraging patients to keep appointments.
## Lessons Learned
- The organization's business continuity planning allowed essential patient care (though degraded) to proceed via manual fallback procedures (paper orders).
- The immediate, broad shutdown of systems indicates a prioritization of patient safety over immediate system access upon detection of irregularities.
## Recommendations
- Review and enhance segmentation between critical clinical platforms (like post-acute care systems) and core hospital networks to limit the blast radius of future incidents.
- Conduct comprehensive forensic analysis to identify the initial entry vector and ensure complete eradication of the threat actor before full system restoration.
- Develop robust communication protocols for quickly updating internal staff and external stakeholders beyond standard website notifications during system outages.