“Everyone go get breakfast, a long one.” To a surgery team, those ominous words means that the first case will not start on time. If the operating room (OR) staff is instructed to take a leisurely breakfast, then something major is impeding the beginning of the day. What could be so major to stop the healthcare system in its tracks? A ransomware attack that locked the hospital out of computers, electronic medical records (EMR), and medication carts.
Doing without the EMR might sound ideal to some, but current healthcare delivery depends on these electronic systems. Their absence cripples the workflow. The team must have previous notes containing the patient's history and physical examination (H&P), consent forms, and images to proceed. In this case, the team had to call outside offices for faxes to confirm the correct surgery site and procedure, then reinterview and reconsent patients using paper relics found in the administrative office. The anesthesiologist and nurses could not access the critical medications typically found in medication carts controlled by the computer system. Pharmacists had to pull all required medications, bring them up in buckets, and remain in the OR throughout each case to supply and record their administration. Afterwards, physicians hand wrote notes to later type up for the EMR and pulled out their paper prescription pads.
The day continued, albeit at a slow and disjointed pace. Each OR started at a different time and required varied amounts of extended turnover time, depending when surgeons, nurses, pharmacists, and anesthesiologists had everything they needed to safely proceed. Surgeons took ownership of deciding what cases could be cancelled. Some afternoon surgeries were rescheduled to another day, while some surgeons were able to complete all planned surgeries with a delay of a few hours.
For the rest of the week, the hospital operated without computers, without the EMR, and without medication carts. After the first day of confusion, the team quickly adapted to the downtime protocols. These protocols included leaving more time between cases to tend to the greater administrative burden, preparing paper charts for each patient the day before their surgery, and ensuring all required supplies were in each OR. The fax machines worked overtime and printed copies were obtained from outside computer systems, given that the printers in the hospital were dependent on functioning computers. This flow of information required more time, supplies, and staff members.
This situation highlights the risks of highly interconnected computer systems. The system of digitalized medicine is here to stay, with its numerous benefits like instant chart access and automated checklists. However, the number and complexity of cybersecurity attacks is on the rise.1,2 This episode was 1 of 66 computer security attacks on hospitals to occur in the first 6 months of this year alone.3 Therefore, hospital systems need to prepare and plan for situations when the computer system fails.
Communicate to the personnel. The staff had no idea that it was a ransomware attack for several days, leading to anxiety and questions. Should all computers stay on, be unplugged, or rebooted? Which procedures can proceed safely, and what activities need to be rescheduled? It was great to know to the team could have a lengthy breakfast; however, the conversation included all sorts of speculation the whole time. Staff need to be informed of the situation in order to proceed safely.
Have backup systems.4 Not only should data be backed up on remote servers, but processes need backups as well. Do physicians have paper prescription pads? Do nurses have sheets to record vital signs? Does the team have print outs of H&Ps, consent forms, and images? How will the lab communicate new findings to the proper parties, especially if the phone system goes down too? A stash of paper forms from the administrative office and paper prescription pads can allow the day to continue compared to coming to a full stop. The administration should have thought-out and robust plans about what to do in these situations.
Prevent cybersecurity issues. Educate staff about phishing attacks and how to avoid them. As part of orientation training to protect patient information, system cybersecurity training can help guard against loss of patient data. Information Technology groups must be flexible and react to the changing environment of hackers.5 The whole group must consistently work to prevent cybersecurity threats from all sources.
The computer system has become a crucial part of hospital operations. The hospital system should do its best to protect the EMR from cyberattacks, prepare for when the system goes down, and provide clear communications to hospital staff. Administration must be prepared for the reality that there are now 2 types of hospitals: those that have been hacked and those that will be hacked. The question becomes, who is prepared to confront those issues.
1. Clem A, Galwankar S, Buck G. Health implications of cyber-terrorism. Prehosp Disaster Med
2. Albahar M. Cyber attacks and terrorism: a twenty-first century conundrum. Sci Eng Ethics
4. Van Cain M. When not if: How to prepare for EHR downtime. AAP News. https://www.aappublications.org/news/2017/11/08/HIT110817
5. Langer SG. Cyber-security issues in healthcare information technology. J Digit Imaging