Yves here. My impression is that most medical industry information systems, including those operated by major hospitals, are as well run as those of a candy store. Even if you attempt to minimize your risk of having your data exposed, compromise of a major system can harm patient care. Confirming the risks described below, some NHS hospitals had to cancel procedures in the wake of cyber attacks. From CNN in early June:<\/p>\n
A cyberattack on a contractor to England\u2019s National Health Service has forced several major hospitals in London to cancel operations, blood tests and appointments and send patients elsewhere.<\/p>\n
King\u2019s College Hospital, Guy\u2019s and St Thomas\u2019 have all been affected, as have numerous primary care providers in the UK capital, a spokesperson for the National Health Service (NHS) said Tuesday.<\/p>\n
The hospitals and providers affected are all partnered with Synnovis, a company that provides lab services to the NHS. The company said Tuesday it had been hit by a ransomware attack that affected all its IT systems \u201cresulting in interruptions to many of our pathology services.\u201d<\/p>\n
Among the services most disrupted were those involving blood tests or transfusions.<\/p>\n
Note that this NHS case demonstrates that not only are the hospital systems at risk, but major providers are also vulnerable.<\/p>\n
By Rachana Pradhan, KFF Health News correspondent, who formerly reported for Politico, and Kate Wells of Michigan Public. Originally published at KFF Health News<\/p>\n
In the wake of a debilitating cyberattack against one of the nation\u2019s largest health care systems, Marvin Ruckle, a nurse at an Ascension hospital in Wichita, Kansas, said he had a frightening experience: He nearly gave a baby \u201cthe wrong dose of narcotic\u201d because of confusing paperwork.<\/p>\n
Ruckle, who has worked in the neonatal intensive care unit at Ascension Via Christi St. Joseph for two decades, said it was \u201chard to decipher which was the correct dose\u201d on the medication record. He\u2019d \u201cnever seen that happen,\u201d he said, \u201cwhen we were on the computer system\u201d before the cyberattack.<\/p>\n
A May 8 ransomware attack against Ascension, a Catholic health system with 140 hospitals in at least 10 states, locked providers out of systems that track and coordinate nearly every aspect of patient care. They include its systems for electronic health records, some phones, and ones \u201cutilized to order certain tests, procedures and medications,\u201d the company said in a May 9 statement.<\/p>\n
More than a dozen doctors and nurses who work for the sprawling health system told Michigan Public and KFF Health News that patient care at its hospitals across the nation was compromised in the fallout of the cyberattack over the past several weeks. Clinicians working for hospitals in three states described harrowing lapses, including delayed or lost lab results, medication errors, and an absence of routine safety checks via technology to prevent potentially fatal mistakes.<\/p>\n
Despite a precipitous rise in cyberattacks against the health sector in recent years, a weeks-long disruption of this magnitude is beyond what most health systems are prepared for, said John Clark, an associate chief pharmacy officer at the University of Michigan health system.<\/p>\n
\u201cI don\u2019t believe that anyone is fully prepared,\u201d he said. Most emergency management plans \u201care designed around long-term downtimes that are into one, two, or three days.\u201d<\/p>\n
Ascension in a public statement May 9 said its care teams were \u201ctrained for these kinds of disruptions,\u201d but did not respond to questions in early June about whether it had prepared for longer periods of downtime. Ascension said June 14 it had restored access to electronic health records across its network, but that patient \u201cmedical records and other information collected between May 8\u201d and when the service was restored \u201cmay be temporarily inaccessible as we work to update the portal with information collected during the system downtime.\u201d<\/p>\n
Ruckle said he \u201chad no training\u201d for the cyberattack.<\/p>\n
Back to Paper<\/p>\n
Lisa Watson, an intensive care unit nurse at Ascension Via Christi St. Francis hospital in Wichita, described her own close call. She said she nearly administered the wrong medication to a critically ill patient because she couldn\u2019t scan it as she normally would. \u201cMy patient probably would have passed away had I not caught it,\u201d she said.<\/p>\n
Watson is no stranger to using paper for patients\u2019 medical charts, saying she did so \u201cfor probably half of my career,\u201d before electronic health records became ubiquitous in hospitals. What happened after the cyberattack was \u201cby no means the same.\u201d<\/p>\n
\u201cWhen we paper-charted, we had systems in place to get those orders to other departments in a timely manner,\u201d she said, \u201cand those have all gone away.\u201d<\/p>\n
Melissa LaRue, an ICU nurse at Ascension Saint Agnes Hospital in Baltimore, described a close call with \u201cadministering the wrong dosage\u201d of a patient\u2019s blood pressure medication. \u201cLuckily,\u201d she said, it was \u201ctriple-checked and remedied before that could happen. But I think the potential for harm is there when you have so much information and paperwork that you have to go through.\u201d<\/p>\n
Clinicians say their hospitals have relied on slapdash workarounds, using handwritten notes, faxes, sticky notes, and basic computer spreadsheets \u2014 many devised on the fly by doctors and nurses \u2014 to care for patients.<\/p>\n
More than a dozen other nurses and doctors, some of them without union protections, at Ascension hospitals in Michigan recounted situations in which they say patient care was compromised. Those clinicians spoke on the condition that they not be named for fear of retaliation by their employer.<\/p>\n
An Ascension hospital emergency room doctor in Detroit said a man on the city\u2019s east side was given a dangerous narcotic intended for another patient because of a paperwork mix-up. As a result, the patient\u2019s breathing slowed to the point that he had to be put on a ventilator. \u201cWe intubated him and we sent him to the ICU because he got the wrong medication.\u201d<\/p>\n
A nurse in a Michigan Ascension hospital ER said a woman with low blood sugar and \u201caltered mental status\u201d went into cardiac arrest and died after staff said they waited four hours for lab results they needed to determine how to treat her, but never received. \u201cIf I started having crushing chest pain in the middle of work and thought I was having a big one, I would grab someone to drive me down the street to another hospital,\u201d the same ER nurse said.<\/p>\n
Similar concerns reportedly led a travel nurse at an Ascension hospital in Indiana to quit. \u201cI just want to warn those patients that are coming to any of the Ascension facilities that there will be delays in care. There is potential for error and for harm,\u201d Justin Neisser told CBS4 in Indianapolis in May.<\/p>\n
Several nurses and doctors at Ascension hospitals said they feared the errors they\u2019ve witnessed since the cyberattack began could threaten their professional licenses. \u201cThis is how a RaDonda Vaught happens,\u201d one nurse said, referring to the Tennessee nurse who was convicted of criminally negligent homicide in 2022 for a fatal drug error.<\/p>\n
Reporters were not able to review records to verify clinicians\u2019 claims because of privacy laws surrounding patients\u2019 medical information that apply to health care professionals.<\/p>\n
Ascension declined to answer questions about claims that care has been affected by the ransomware attack. \u201cAs we have made clear throughout this cyber attack which has impacted our system and our dedicated clinical providers, caring for our patients is our highest priority,\u201d Sean Fitzpatrick, Ascension\u2019s vice president of external communications, said via email on June 3. \u201cWe are confident that our care providers in our hospitals and facilities continue to provide quality medical care.\u201d<\/p>\n
The federal government requires hospitals to protect patients\u2019 sensitive health data, according to cybersecurity experts. However, there are no federal requirements for hospitals to prevent or prepare for cyberattacks that could compromise their electronic systems.<\/p>\n
Hospitals: \u2018The No.1 Target of Ransomware\u2019<\/p>\n
\u201cWe\u2019ve started to think about these as public health issues and disasters on the scale of earthquakes or hurricanes,\u201d said Jeff Tully, a co-director of the Center for Healthcare Cybersecurity at the University of California-San Diego. \u201cThese types of cybersecurity incidents should be thought of as a matter of when, and not if.\u201d<\/p>\n
Josh Corman, a cybersecurity expert and advocate, said ransom crews regard hospitals as the perfect prey: \u201cThey have terrible security and they\u2019ll pay. So almost immediately, hospitals went to the No. 1 target of ransomware.\u201d<\/p>\n
In 2023, the health sector experienced the largest share of ransomware attacks of 16 infrastructure sectors considered vital to national security or safety, according to an FBI report on internet crimes. In March, the federal Department of Health and Human Services said reported large breaches involving ransomware had jumped by 264% over the past five years.<\/p>\n
A cyberattack this year on Change Healthcare, a unit of UnitedHealth Group\u2019s Optum division that processes billions of health care transactions every year, crippled the business of providers, pharmacies, and hospitals.<\/p>\n
The cyberattack on a unit of UnitedHealth Group\u2019s Optum division is the worst on the health care industry in U.S. history, hospitals say. Providers struggling to get paid for care say the response by the insurer and the Biden administration has been inadequate.<\/p>\n
In May, UnitedHealth Group CEO Andrew Witty told lawmakers the company paid a $22 million ransom as a result of the Change Healthcare attack \u2014 which occurred after hackers accessed a company portal that didn\u2019t have multifactor authentication, a basic cybersecurity tool.<\/p>\n
The Biden administration in recent months has pushed to bolster health care cybersecurity standards, but it\u2019s not clear which new measures will be required.<\/p>\n
In January, HHS nudged companies to improve email security, add multifactor authentication, and institute cybersecurity training and testing, among other voluntary measures. The Centers for Medicare & Medicaid Services is expected to release new requirements for hospitals, but the scope and timing are unclear. The same is true of an update HHS is expected to make to patient privacy regulations.<\/p>\n
HHS said the voluntary measures \u201cwill inform the creation of new enforceable cybersecurity standards,\u201d department spokesperson Jeff Nesbit said in a statement.<\/p>\n
\u201cThe recent cyberattack at Ascension only underscores the need for everyone in the health care ecosystem to do their part to secure their systems and protect patients,\u201d Nesbit said.<\/p>\n
Meanwhile, lobbyists for the hospital industry contend cybersecurity mandates or penalties are misplaced and would curtail hospitals\u2019 resources to fend off attacks.<\/p>\n
\u201cHospitals and health systems are not the primary source of cyber risk exposure facing the health care sector,\u201d the American Hospital Association, the largest lobbying group for U.S. hospitals, said in an April statement prepared for U.S. House lawmakers. Most large data breaches that hit hospitals in 2023 originated with third-party \u201cbusiness associates\u201d or other health entities, including CMS itself, the AHA statement said.<\/p>\n
Hospitals consolidating into large multistate health systems face increased risk of data breaches and ransomware attacks, according to one study. Ascension in 2022 was the third-largest hospital chain in the U.S. by number of beds, according to the most recent data from the federal Agency for Healthcare Research and Quality.<\/p>\n
And while cybersecurity regulations can quickly become outdated, they can at least make it clear that if health systems fail to implement basic protections there \u201cshould be consequences for that,\u201d Jim Bagian, a former director of the National Center for Patient Safety at the Veterans Health Administration, told Michigan Public\u2019s Stateside.<\/p>\n
Patients can pay the price when lapses occur. Those in hospital care face a greater likelihood of death during a cyberattack, according to researchers at the University of Minnesota School of Public Health.<\/p>\n
Workers concerned about patient safety at Ascension hospitals in Michigan have called for the company to make changes.<\/p>\n
\u201cWe implore Ascension to recognize the internal problems that continue to plague its hospitals, both publicly and transparently,\u201d said Dina Carlisle, a nurse and the president of the OPEIU Local 40 union, which represents nurses at Ascension Providence Rochester. At least 125 staff members at that Ascension hospital have signed a petition asking administrators to temporarily reduce elective surgeries and nonemergency patient admissions, like under the protocols many hospitals adopted early in the covid-19 pandemic.<\/p>\n
Watson, the Kansas ICU nurse, said in late May that nurses had urged management to bring in more nurses to help manage the workflow. \u201cEverything that we say has fallen on deaf ears,\u201d she said.<\/p>\n
\u201cIt is very hard to be a nurse at Ascension right now,\u201d Watson said in late May. \u201cIt is very hard to be a patient at Ascension right now.\u201d<\/p>\n
![\"Print](\"https:\/\/cdn.printfriendly.com\/buttons\/print-button-gray.png\")
<\/div>\n<\/div>\n