The Ascension Health Outage Was a Communications Continuity Failure

Alright, let's talk about the Ascension Health outage. Everyone's heard about the ambulances getting diverted and doctors going back to paper charts, which is obviously a pretty big deal. But what hasn't gotten as much airtime, and what really made my ears perk up, is how badly their communication systems got hit.

Patients trying to call their care teams? Phones ringing off the hook, no one answering. Patient portals? Locked up tighter than a drum. Call centers? Staff couldn't even pull up basic patient info. Forget about care, this was a full-blown communication breakdown.

Why The Ascension Health Outage Was a Communications Continuity Failure Matters Now

Look, I've been doing this long enough to remember when 'disaster response security' was a box you checked once a quarter. A nice-to-have, right? Now, though? It's daily ops. No joke.

You know the reasons: bad actors have cheap tools, we've got more ways for folks to reach us than ever before, and regulators are finally sniffing around. If your organization was waiting for someone to tell you to get your ducks in a row, you're already a year behind the curve. And with generative AI making it dirt cheap to impersonate anyone, that gap's just getting wider.

When I look at the traffic for this stuff, I'm not just seeing headlines about big incidents. What's really telling are the internal searches from companies: "healthcare policy template," "healthcare verification workflow"-that's the real work, the stuff execs are quietly trying to figure out behind the scenes.

The Threat Pattern in Practice

Here’s how it usually goes down: your main systems tank, and suddenly, your contact center becomes the face of your entire organization. To every single person calling in, those poor souls on the phones are the only connection they have. If that contact center doesn't have a plan for when everything's gone sideways, your outage just got a whole lot worse.

Call volumes explode, wait times go through the roof, and then the really nasty stuff starts. Fraudsters, bless their hearts, just love chaos. They'll use the confusion to try and pull information. And while all that's happening, legitimate, urgent calls get completely buried.

Out in the field, this kind of mess usually starts in places that were built for convenience. Think about those manager overrides, the recovery flows for passwords, or how the night shift handles new patients - anything designed to keep things chugging along when things are already a bit off-kilter. The bad guys aren't stupid; they study these bypasses just like your auditors do, and they're usually there first. It’s rarely about how fancy their attack tools are. It’s about how much pushback they hit once they’re already in your system.

What Effective Defense Looks Like

This isn't about throwing more bodies at the problem; it's a design challenge. We’re talking about having scripts ready to go for those "oops" moments, routing calls so they don't depend on your main identity systems, and ways to verify callers even if your big database is offline.

None of this is glamorous, let's be real. Most places only bother to build it after something big has already gone wrong. But it’s worth it.

My team and I, we have a simple way of putting it: "raise the cost." You're not going to stop every single attempt, nobody can promise that. But you can make a successful attack so much work, so time-consuming, that the attacker just looks for an easier target. It's the same idea behind any other security program, and it works here too, if you actually stick with it instead of just treating it as a one-off project.

Practical Next Steps for Your Team

Ascension will bounce back, no doubt about it. The real takeaway for us, though, is that planning for communications continuity needs the same kind of muscle as planning for, say, clinical continuity. And you've gotta test it in ways that feel like a real outage, not just a bunch of folks sitting around a table with a flip chart.

If you only do one thing after reading this, do this: pick your most critical workflow, the one where an incoming call can kick off significant stuff. Then, write down every action that call can authorize. Now, look at each one and ask yourself: "Could this survive a really smart impersonation attempt?" Most teams, after that little exercise, end up with a short list of changes. Improvements that pay for themselves pretty quickly, and you don't even have to buy any new fancy software.

What We Are Watching Next

Over the next year or so, I expect to see healthcare risk management keep spreading beyond just the security team. It's going to end up in operations, legal, and even customer experience departments. That’s a healthy shift, honestly. And it's something to plan for right now, instead of just reacting to it later. We’ll keep sharing what we’re seeing from the field as this whole thing continues to unfold.