Yves here. My impression is that most medical industry information systems, including those operated by major hospitals, are as well run as those of a candy store. Even if you attempt to minimize your risk of having your data exposed, compromise of a major system can harm patient care. Confirming the risks described below, some NHS hospitals had to cancel procedures in the wake of cyber attacks. From CNN in early June:
A cyberattack on a contractor to England’s National Health Service has forced several major hospitals in London to cancel operations, blood tests and appointments and send patients elsewhere.
King’s College Hospital, Guy’s and St Thomas’ have all been affected, as have numerous primary care providers in the UK capital, a spokesperson for the National Health Service (NHS) said Tuesday.
The hospitals and providers affected are all partnered with Synnovis, a company that provides lab services to the NHS. The company said Tuesday it had been hit by a ransomware attack that affected all its IT systems “resulting in interruptions to many of our pathology services.”
Among the services most disrupted were those involving blood tests or transfusions.
Note that this NHS case demonstrates that not only are the hospital systems at risk, but major providers are also vulnerable.
By Rachana Pradhan, KFF Health News correspondent, who formerly reported for Politico, and Kate Wells of Michigan Public. Originally published at KFF Health News
In the wake of a debilitating cyberattack against one of the nation’s largest health care systems, Marvin Ruckle, a nurse at an Ascension hospital in Wichita, Kansas, said he had a frightening experience: He nearly gave a baby “the wrong dose of narcotic” because of confusing paperwork.
Ruckle, who has worked in the neonatal intensive care unit at Ascension Via Christi St. Joseph for two decades, said it was “hard to decipher which was the correct dose” on the medication record. He’d “never seen that happen,” he said, “when we were on the computer system” before the cyberattack.
A May 8 ransomware attack against Ascension, a Catholic health system with 140 hospitals in at least 10 states, locked providers out of systems that track and coordinate nearly every aspect of patient care. They include its systems for electronic health records, some phones, and ones “utilized to order certain tests, procedures and medications,” the company said in a May 9 statement.
More than a dozen doctors and nurses who work for the sprawling health system told Michigan Public and KFF Health News that patient care at its hospitals across the nation was compromised in the fallout of the cyberattack over the past several weeks. Clinicians working for hospitals in three states described harrowing lapses, including delayed or lost lab results, medication errors, and an absence of routine safety checks via technology to prevent potentially fatal mistakes.
Despite a precipitous rise in cyberattacks against the health sector in recent years, a weeks-long disruption of this magnitude is beyond what most health systems are prepared for, said John Clark, an associate chief pharmacy officer at the University of Michigan health system.
“I don’t believe that anyone is fully prepared,” he said. Most emergency management plans “are designed around long-term downtimes that are into one, two, or three days.”
Ascension in a public statement May 9 said its care teams were “trained for these kinds of disruptions,” but did not respond to questions in early June about whether it had prepared for longer periods of downtime. Ascension said June 14 it had restored access to electronic health records across its network, but that patient “medical records and other information collected between May 8” and when the service was restored “may be temporarily inaccessible as we work to update the portal with information collected during the system downtime.”
Ruckle said he “had no training” for the cyberattack.
Back to Paper
Lisa Watson, an intensive care unit nurse at Ascension Via Christi St. Francis hospital in Wichita, described her own close call. She said she nearly administered the wrong medication to a critically ill patient because she couldn’t scan it as she normally would. “My patient probably would have passed away had I not caught it,” she said.
Watson is no stranger to using paper for patients’ medical charts, saying she did so “for probably half of my career,” before electronic health records became ubiquitous in hospitals. What happened after the cyberattack was “by no means the same.”
“When we paper-charted, we had systems in place to get those orders to other departments in a timely manner,” she said, “and those have all gone away.”
Melissa LaRue, an ICU nurse at Ascension Saint Agnes Hospital in Baltimore, described a close call with “administering the wrong dosage” of a patient’s blood pressure medication. “Luckily,” she said, it was “triple-checked and remedied before that could happen. But I think the potential for harm is there when you have so much information and paperwork that you have to go through.”
Clinicians say their hospitals have relied on slapdash workarounds, using handwritten notes, faxes, sticky notes, and basic computer spreadsheets — many devised on the fly by doctors and nurses — to care for patients.
More than a dozen other nurses and doctors, some of them without union protections, at Ascension hospitals in Michigan recounted situations in which they say patient care was compromised. Those clinicians spoke on the condition that they not be named for fear of retaliation by their employer.
An Ascension hospital emergency room doctor in Detroit said a man on the city’s east side was given a dangerous narcotic intended for another patient because of a paperwork mix-up. As a result, the patient’s breathing slowed to the point that he had to be put on a ventilator. “We intubated him and we sent him to the ICU because he got the wrong medication.”
A nurse in a Michigan Ascension hospital ER said a woman with low blood sugar and “altered mental status” went into cardiac arrest and died after staff said they waited four hours for lab results they needed to determine how to treat her, but never received. “If I started having crushing chest pain in the middle of work and thought I was having a big one, I would grab someone to drive me down the street to another hospital,” the same ER nurse said.
Similar concerns reportedly led a travel nurse at an Ascension hospital in Indiana to quit. “I just want to warn those patients that are coming to any of the Ascension facilities that there will be delays in care. There is potential for error and for harm,” Justin Neisser told CBS4 in Indianapolis in May.
Several nurses and doctors at Ascension hospitals said they feared the errors they’ve witnessed since the cyberattack began could threaten their professional licenses. “This is how a RaDonda Vaught happens,” one nurse said, referring to the Tennessee nurse who was convicted of criminally negligent homicide in 2022 for a fatal drug error.
Reporters were not able to review records to verify clinicians’ claims because of privacy laws surrounding patients’ medical information that apply to health care professionals.
Ascension declined to answer questions about claims that care has been affected by the ransomware attack. “As we have made clear throughout this cyber attack which has impacted our system and our dedicated clinical providers, caring for our patients is our highest priority,” Sean Fitzpatrick, Ascension’s vice president of external communications, said via email on June 3. “We are confident that our care providers in our hospitals and facilities continue to provide quality medical care.”
The federal government requires hospitals to protect patients’ sensitive health data, according to cybersecurity experts. However, there are no federal requirements for hospitals to prevent or prepare for cyberattacks that could compromise their electronic systems.
Hospitals: ‘The No.1 Target of Ransomware’
“We’ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,” said Jeff Tully, a co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego. “These types of cybersecurity incidents should be thought of as a matter of when, and not if.”
Josh Corman, a cybersecurity expert and advocate, said ransom crews regard hospitals as the perfect prey: “They have terrible security and they’ll pay. So almost immediately, hospitals went to the No. 1 target of ransomware.”
In 2023, the health sector experienced the largest share of ransomware attacks of 16 infrastructure sectors considered vital to national security or safety, according to an FBI report on internet crimes. In March, the federal Department of Health and Human Services said reported large breaches involving ransomware had jumped by 264% over the past five years.
A cyberattack this year on Change Healthcare, a unit of UnitedHealth Group’s Optum division that processes billions of health care transactions every year, crippled the business of providers, pharmacies, and hospitals.
The cyberattack on a unit of UnitedHealth Group’s Optum division is the worst on the health care industry in U.S. history, hospitals say. Providers struggling to get paid for care say the response by the insurer and the Biden administration has been inadequate.
In May, UnitedHealth Group CEO Andrew Witty told lawmakers the company paid a $22 million ransom as a result of the Change Healthcare attack — which occurred after hackers accessed a company portal that didn’t have multifactor authentication, a basic cybersecurity tool.
The Biden administration in recent months has pushed to bolster health care cybersecurity standards, but it’s not clear which new measures will be required.
In January, HHS nudged companies to improve email security, add multifactor authentication, and institute cybersecurity training and testing, among other voluntary measures. The Centers for Medicare & Medicaid Services is expected to release new requirements for hospitals, but the scope and timing are unclear. The same is true of an update HHS is expected to make to patient privacy regulations.
HHS said the voluntary measures “will inform the creation of new enforceable cybersecurity standards,” department spokesperson Jeff Nesbit said in a statement.
“The recent cyberattack at Ascension only underscores the need for everyone in the health care ecosystem to do their part to secure their systems and protect patients,” Nesbit said.
Meanwhile, lobbyists for the hospital industry contend cybersecurity mandates or penalties are misplaced and would curtail hospitals’ resources to fend off attacks.
“Hospitals and health systems are not the primary source of cyber risk exposure facing the health care sector,” the American Hospital Association, the largest lobbying group for U.S. hospitals, said in an April statement prepared for U.S. House lawmakers. Most large data breaches that hit hospitals in 2023 originated with third-party “business associates” or other health entities, including CMS itself, the AHA statement said.
Hospitals consolidating into large multistate health systems face increased risk of data breaches and ransomware attacks, according to one study. Ascension in 2022 was the third-largest hospital chain in the U.S. by number of beds, according to the most recent data from the federal Agency for Healthcare Research and Quality.
And while cybersecurity regulations can quickly become outdated, they can at least make it clear that if health systems fail to implement basic protections there “should be consequences for that,” Jim Bagian, a former director of the National Center for Patient Safety at the Veterans Health Administration, told Michigan Public’s Stateside.
Patients can pay the price when lapses occur. Those in hospital care face a greater likelihood of death during a cyberattack, according to researchers at the University of Minnesota School of Public Health.
Workers concerned about patient safety at Ascension hospitals in Michigan have called for the company to make changes.
“We implore Ascension to recognize the internal problems that continue to plague its hospitals, both publicly and transparently,” said Dina Carlisle, a nurse and the president of the OPEIU Local 40 union, which represents nurses at Ascension Providence Rochester. At least 125 staff members at that Ascension hospital have signed a petition asking administrators to temporarily reduce elective surgeries and nonemergency patient admissions, like under the protocols many hospitals adopted early in the covid-19 pandemic.
Watson, the Kansas ICU nurse, said in late May that nurses had urged management to bring in more nurses to help manage the workflow. “Everything that we say has fallen on deaf ears,” she said.
“It is very hard to be a nurse at Ascension right now,” Watson said in late May. “It is very hard to be a patient at Ascension right now.”
My friend works at Lurie CHildren’s Hospital in Chicago, they are still hampered after a ransomware attack in February. Talk about soft targets, hospital IT systems are terrible to start with, but on top of that IT departments are woefully inadequate. Their department says they may get full functionality back sometime next year.
IT departments being inadequate is more the norm than the exception. Too many people have been lured into seeking IT jobs that they have no real aptitude for, and HR departments are notoriously terrible at winnowing the hordes of candidates down into something meaningful for a hiring manager (who may not be especially good at their job to begin with). Often HR uses automated resume scanning software that eliminates people on the basis of inadequate buzzword compliance rather than truly relevant background. So a lot of people staffing IT are at best mediocre at doing the real work required versus attending meetings and writing emails (or, worse, creating PowerPoint slides).
My suspicion is also that the information systems used in hospitals come from a very narrow range of vendors, who oversell the capabilities to top hospital management, and stick IT with the after-the-fact reality of having to try to paper over the practical shortfalls and make systems talk to each other that weren’t designed to. So the environment is rife with opportunities for security to be pushed far down the list of work priorities.
We wouldn’t be at this juncture without cryptocurrency, what other option would the bad guise have?
‘Leave $22 million in cash in a steamer trunk, behind the 4th bench from the street in the park, are we clear on this?’
That is not a bad point that. Not a bad point at all. Without cryptocurrency, just how do you pay off blackmailers with that large a sum? You can’t as everything else leaves a trace.
Our humble hostess has often termed Bitcoin commerce as “prosecution futures”. IANAcryptogeek but I take this to mean that every ‘coin’ (and fraction thereof) has a unique blockchain identifier – wouldn’t this enable tracking of the ransom payment? I suppose the victim would have to take the initiative to document the blockchain of every coin it acquired in order to make payment. Is the ‘dark web’ so vast that those coins never reappear?
In the old days, the money was wired to bank accounts in Panama or some other bank haven.
I remember when the Doc’s illegible handwriting was the thing.
I have multiple colleagues who work in Ascension hospitals across the country. Some, not all, of them are reporting that the EMR systems are still not working.
Interestingly and to the one they have stated emphatically that during this time that the EMR has been down has been among the best times they have had as a practicing physician in some time.
I continue to state that if a massive computer outage that was permanent occurred and wiped out the EMR systems, Twitter and Facebook, the countenance of the entire country would drastically improve overnight. I pray for this every day.
How about catching the bad guys and punishing them instead of the hospitals.