Cyber ​​attacks on hospitals delay patient care and affect their safety

We are thrilled to have you on our site. If you enjoy the post you have just found kindly Share it with friends.

Last Tuesday, Jason Cabot prepared for an abdominal surgery: he fasted for 24 hours and drank three tablespoons of the intestinal cleansing milk of Magnesia. But until he showed up at 5:30 a.m. the next day at Scripps Mercy Health in San Diego, he had no idea if surgery would happen.

Scripps Health, a large California health system, saw it on May 1st. “disturbance“For his IT systems, which have since been linked to malware discovered on the health system’s computer network. To contain the malware, Scripps said he took part of his network offline, disrupting access to the health system’s e-mail servers. Patient portal and other applications.

So far, Scripps has shared limited details of the malware attack. But the California Department of Public Health Last week, the incident was described as being caused by “ransomware attacks.” In a ransomware attack, a hacker typically spreads malware – or “malware” – that encrypts the victim’s computer files and only issues the files for payment. Recently, criminals have also removed data from systems and threatened to release files if the victim did not pay.

Although patient privacy has been a major concern of recent cyber attacks, patient safety and quality are increasingly important when health service providers do not have access to electronic health records or scheduling information.

Cabot, 34, faced a potentially serious patient safety flaw caused by the Scripps attack. Although he said that Scripps’ pre-operative team checked the type of surgery he was undergoing three times, his medical problems and medications came to light after the surgery. He said a nurse tried to give the anti-blood-clotting drug heparin, without realizing that another nurse had actually given him the only dose he needed before surgery.

“Obviously, giving twice the intended dose of the blood thinner could be a problem,” Cabot said. “It’s things like that that scare me from a patient safety standpoint, with the doctor not having access to patient records, incomplete paper paths and uncommon processes.”

The American Hospital Association has it Argued Ransomware attacks against hospitals should be prosecuted as life-threatening crimes, not economic crimes. This is because when a ransomware attack disrupts a hospital’s IT systems, it not only disrupts internal business processes but also disrupts patient care, as ransomware often infects critical medical systems.

If the hospital’s electronic medical records system is down, this may mean that doctors are unable to access a patient’s medical history prior to the procedure. Even if clinicians are aware of shutdown procedures – procedures also used during natural disasters and maintenance of IT systems, in addition to cyber attacks – it can be difficult for systems to collapse unexpectedly.

“When hospitals are victims of a ransomware attack, everything from patient records to appointment scheduling is affected,” Taban Mehta, leader of global healthcare solutions and strategies at cybersecurity firm Palo Alto Networks, wrote in an email.

It can cause electronic health records to be closed medical errors. Electronic health records include reminders and alerts for nearly every job within the hospital. In Cabot’s case, the postoperative nurse likely saw that the drug was actually administered if the system was working. If you don’t, a security alert will appear on the EHR system.

Said Dr. Christoph Lyman, Professor of Clinical Sciences in the Department of Bioinformatics at Texas Southwestern Medical Center. “So until their systems get restarted, going to that hospital would be much more dangerous.”

There is not much research on the link between cybersecurity attacks and their impact on safety and quality. One a studyIn the three years following the cybersecurity attack, the death rate from heart attacks rises, co-authored by Lyman, and it takes much longer for emergency department personnel to start an EKG after a patient has had chest pain.

This is not due to the cyber attack itself. When two-factor authentication and longer passwords were implemented after the attack, it took longer to care for chest pain patients, according to the researchers.

“If you do all these security measures, it will be more complicated to get in and do the things that patients need right away,” Lyman said.

Immediately after the attack, when the system is down, it has not been studied much. This is partly because hospitals in the past few years have entered a new era of cybersecurity risk: Previous iterations of hackers have mostly focused on obtaining patient records for legacy financial fraud or medical identity theft, rather than keeping data for ransom.

“What we’re seeing now is what I’d like to say, version 2.0, which is an organization being held hostage, either out of disruption, or because of fear of releasing private data and extorting money from the organization,” said Eric Johnson, dean of the Owen Graduate School of Management at Vanderbilt University.

Health systems are particularly vulnerable to cyber attacks, compared to other organizations in the financial sector. Doctors and other healthcare providers saw security measures such as proximity sensors, with computers shutting down when a worker moved away, as an impediment to care and a hassle.

“When I talk to doctors about security, they are often very passive,” Johnson said. “So they’re very late, and at this point, they’re incredibly vulnerable.”

Delays in care can cause major problems for patients. Lisa Van Hook, 66, Scripps patient, said her doctor recently found a cut in her throat. She is optimistic that it’s not a serious thing, but she does need a biopsy.

“I think it is [the biopsy order] “It’s just a protocol, but at the same time I keep touching my neck,” said Van Hook, who has been sick with Scripps for 40 years. This is a big problem and we haven’t heard anything. I’ll give them some time, but we really need a lawyer. “

Van Hook was one of hundreds of people on the Scripps Health Facebook page inquiring if their appointments were still scheduled or not, how to refill prescriptions while the patient portal was not connected, and complaining about not being able to reach the hospital or provider offices via the phone. After writing to Scripps on Facebook and calling the hospital several times, Van Hook still doesn’t know when she will be able to get a biopsy.

I have Emergency Planning to continue treating and diagnosing time-sensitive illnesses, and clearly communicating with patients, is key when exposed to a cybersecurity shutdown.

“There are things in medicine that don’t allow you to scribble,” said Lyman of the University of the US Southwest. “The awareness campaign for their patients should include,” If you have the following conditions, don’t wait for us to return to work. We can refer you to other good places. “

So far, the responses on Scripp’s Facebook page direct patients to their individual providers. In some cases, Scripps requires patients to send them personal information directly to confirm appointments. But interacting with patients on social media is an area where hospitals should be careful not to conflict with federal privacy laws, according to legal experts.

“Social media is a blessing and a curse in these situations,” said Valerie Montague, a partner at the law firm Nixon Peabody that focuses on health information privacy and security issues.

Social media provides a way for the hospital to post updates and let patients know where to call or communicate questions. But hospital contact teams or other personnel who manage social media pages also need to be careful not to inadvertently disclose health data protected by HIPAA.

If a patient posts a question or complaint publicly on the social media page, Montag suggests that the hospital admits to seeing the message but asks to continue the conversation privately, as in the case of a direct message or phone call. It’s also important to verify who they are telling you before discussing their appointment, even in private.

“The healthcare facility has to balance responding to their patients with doing nothing to reveal the information they need to protect,” said Montag. Hospitals should not publicly confirm that a single post is a patient or that they are receiving care at the institution, even if the patient publishes this information first.

In a video from Scripps CEO and President Chris Van Gorder to staff on May 10, Van Gorder said the California Department of Public Health visited all five hospitals and made sure the care provided was safe. He added that employees are now working on manual backup procedures.

“Doctors and clinical staff make decisions about who should undergo surgery and who should postpone it, and in very rare cases, patients who may need the care of one of our community partners,” Van Gorder said in the video provided to. Modern Healthcare from Scripps. “Over the past few years, it has been evident that everything has become automated and we have these backup procedures only for rare occasions and usually for an hour or so. But this is an unfortunate situation as it takes days to be able to bring in the backup system.”

Scripps did not publicly share whether it received a ransom demand from the attackers, and if so, what types of data the hackers were able to encrypt or steal.

Under the Health Insurance Transfer and Liability Act (HIPAA), health systems are not required to notify patients or HHS about a health data breach up to 60 days after the entity finds out the accident.

In a Monday employee memo submitted to Modern Healthcare, Scripps CEO Van Gorder said that while he strives to be “as open and transparent as possible,” he is limited in what he can share about the attack.

He wrote, “We need to let our investigation go ahead and work with our advisors and outside government agencies, and when I can participate, I will.”

Disclaimer: The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of and does not assume any responsibility or liability for the same.

Leave a Comment