On May 8, 2024 Ascension detected unusual activity on parts of its network and took key systems offline, including its electronic health record and patient portal, forcing clinicians to revert to paper workflows and in some locations to divert ambulances. The initial public accounts described a classic ransomware-style disruption: EHR and MyChart unavailable, phone systems impacted, and restoration work underway with outside forensics support.

Within days the health sector’s information-sharing bodies and federal partners issued warnings and advisories. H-ISAC and the American Hospital Association circulated defensive guidance after the incident, and CISA, FBI, HHS and MS-ISAC had already published a Black Basta advisory in early May describing the group’s tactics, techniques, and procedures that are frequently used to gain initial access and move laterally inside victim networks. Those public advisories framed the incident for defenders and pointed to attacker behaviors that often bypass or blunt endpoint protections.

What happened at Ascension is not unique. The pattern reported on May 8 and in subsequent industry alerts maps to a frequent failure mode for endpoint defenses: detection gaps during initial access, delays in telemetry aggregation, and insufficient controls for credential abuse and remote access tooling. CISA’s advisory highlights the core techniques Black Basta affiliates and similar groups use: phishing and exploitation for initial access, use of remote administration tools, disabling or evading anti-virus and endpoint controls, and data exfiltration before encryption. When those actions occur quickly and across multiple hosts, an organization that must prioritize uptime and supports legacy clinical endpoints can be at a severe disadvantage.

Where endpoint detection commonly fails

  • Visibility fragmentation: Hospitals run a mix of legacy Windows endpoints, medical devices, administrative desktops, and cloud services. Many of these endpoints lack unified EDR agents or forward limited telemetry because of application compatibility or performance concerns. That fragmentation creates blind spots where early compromise activity looks like normal operations. CISA and industry reporting reinforce that attackers exploit weak visibility to establish footholds.

  • Default trust and lateral movement: Clinical networks often allow broad east-west communications to support device interoperability. An attacker who compromises one workstation or a remote-access session can scan and move laterally with little resistance. The Black Basta advisory documents network scanning and use of benign-looking tools to do reconnaissance. EDR detections focused only on file encryption will be too late; telemetry must surface suspicious account use, new service creation, and anomalous remote access.

  • Alert fatigue and context loss: Endpoint alerts without rapid context enrichment get triaged slowly. In a healthcare environment overloaded with operational alerts, a well-crafted phishing link or an abused remote support tool can be overlooked until encryption begins. Public reporting on the Ascension outage shows the impact: systems were taken offline to stop automated spread because detection and containment windows had closed.

Practical, prioritized fixes you can implement now

1) Reconcile and instrument every endpoint

Inventory first. Map which endpoints can and cannot run modern EDR agents. Where agents cannot be installed, push network-based monitoring, host-based logging, or micro-segmentation. Short term, use network flow and proxy logs to create surrogate telemetry for unsupported devices. CISA’s guidance is blunt: defenders must close visibility gaps if they want to spot the initial steps of these intrusions.

2) Harden remote access and admin tooling

Attackers increasingly rely on remote support tools and legitimate admin channels. Enforce strict allow-lists for RMM and support tools, require phishing-resistant MFA for remote access, and instrument jump-hosts with strict session recording and EDR coverage. Make service accounts ephemeral and audit their use. These are high-leverage controls with low operational friction when implemented with clinician workflows in mind.

3) Focus EDR on telemetry that matters

Tune EDR to prioritize process injection, tampering with security agents, abnormal service creation, and unusual use of credential tooling. Enrich endpoint alerts with AD logs, VPN and proxy context, and cloud identity signals so analysts see cross-layer indicators in a single pane. In many healthcare breaches the critical failure was not a lack of EDR but the lack of cross-source enrichment and automation to act fast.

4) Segment by function, not just by network name

Segment lab systems, imaging, administrative networks, and EHR backends with strict firewall rules and ACLs. Assume compromise of workstations and limit what a single host compromise can reach. Segmentation buys time. Ascension’s decision to take systems offline to prevent spread is a blunt example of what segmentation and prebuilt containment playbooks can avoid.

5) Practice incident playbooks with clinical leadership

Downtime drills must be regular, ticketed, and involve clinicians. When EHRs go offline, patient safety depends on human processes working under stress. Simulation exercises reveal gaps in logging, who has authority to swing network switches, and how to safely perform medication reconciliation on paper. Reports from the Ascension disruption highlight how paper fallback and diversion planning are operationally necessary when detection and containment fail.

What vendors and leaders must prioritize

  • Invest in telemetry interoperability. Vendors should export richer, normalized telemetry to SIEM and XDR platforms. Health systems should incentivize products that provide cross-source correlation rather than point detections.

  • Audit and reduce admin blast radius. Default domain admin and long-lived credentials are a repeating theme in large compromises. Replace standing privileges with just-in-time access where possible.

  • Fund modern incident response. For many large health systems the cost of prolonged outages is clinical and financial. Having retained IR partners, tested recovery procedures, and cold backups isolated from the network is essential for resilience. Public-sector advisories after the Ascension event emphasize tactical mitigations for defenders that align with these investments.

Closing note

The Ascension outage is a painful reminder that detection is not a checkbox. Endpoint tools must be part of an ecosystem that includes inventory discipline, network controls, identity protections, and practiced incident response. Healthcare organizations are especially vulnerable because uptime and device compatibility constrain defensive options. The practical takeaway is clear: prioritize visibility, segment aggressively, and bake incident playbooks into clinical operations before you need them. When endpoint detection fails, it is the organizational processes that will determine whether patient care is preserved while you recover systems.