When Hackers Hit: The Patient Perspective

Although cybersecurity incidents can cost hospitals millions of dollars, the highest priority is the patient, not the financial repercussions

Late in the afternoon of May 10, 2016, the administrative supervisor at DeKalb Health in Auburn noticed he was not able to access any patient’s medication records. Puzzled, he turned to the IT team for assistance. The IT staff member on call at the time wasn’t able to fix the problem, so he called the chief information officer (CIO), who had already left for the day.

Upon arriving back at the hospital, the CIO attempted to identify the issue. He noticed that all the icons on the screen now appeared as the Internet Explorer icon. Ominously, the words “Only we can help” were superimposed on each one.

The CIO immediately began shutting down all the hospital’s systems, understanding that every CIO’s worst nightmare was coming true: The hospital had been hit by ransomware.

Hospitals and health care systems increasingly are becoming victims of ransomware, a type of malware that encrypts the victim’s data until a ransom is paid. There is no shortage of reasons hackers are targeting hospitals; from concerns about HIPAA violations to the need to be able to access patient files, hospitals cannot afford to lose access to their data. A desperate hospital is far more likely to pay a ransom than a shoe manufacturer or an individual.

PRIORITIZING THE PATIENT

Immediately following the attack at DeKalb Health, everything was down except the phones, fax machines and laboratory equipment. Even the centralized scheduling system was down, which meant no one knew which patients were coming in for what procedure at what time. Beth Gardner, director of quality, says the top priority was determining the risk to patients.

“We couldn’t even do a simple chest X-ray,” said Gardner. “We had to look at each and every patient and decide if this was someone we could see or someone we needed to send to another hospital.”

The hospital directed EMS to transfer all critical patients to other facilities. Patients who needed X-rays also were sent to other hospitals. Luckily, machines that were off at the time of the attack were not affected, so the hospital was able to see many patients, such as those who needed occupational therapy/physical therapy or lab work.

“We didn’t take any chances with our patients,” said Gardner. “That was the one thing we thought about the most: How do we keep our patients safe?”

IT’S A MATTER OF WHEN, NOT IF

In many ways, DeKalb Health was lucky. Its pharmacy dispensing system was not affected by the ransomware, so no patient medications were missed. In addition, the hospital already had downtime procedures in place.

Still, it was an eye-opening experience, according to Gardner. The hospital learned the hard way that its downtime procedures were not as robust as they might have been.

“The whole thing was a rude awakening,” she said. “There were so many little details we had never considered. We instituted paper charts, but some of our newer nurses had never used them. We placed our supply orders electronically, so we had to figure out a different way to get supplies. Many of our staff members usually entered the hospital through automatic doors in the back; we never even thought about them not being able to get in.”

Systems were not fully restored until the end of June. Ultimately, more than 640 machines had to be cleaned and reimaged.

DeKalb Health held two debriefings following the event, one for all staff and one for IT staff, to identify what went right, what went wrong and what could be improved. A number of lessons learned emerged. For example, the command post should have been opened and left open to help coordinate resources, gather information and make financial decisions. In addition, vendors and other partners should have been involved in the development of the downtime procedures. Patient messaging should have been ready to go. Finally, the hospital should have prioritized which systems were going to be brought back up first and communicated that information to staff ahead of time.

Ultimately, Gardner said, it all comes down to preparation.

“Don’t wait until you’re in the situation. Make sure you’re prepared now,” she says. “It’s no longer a matter of ‘if’ you’re going to be hit; it’s a matter of ‘when.’”