Ransomware forces 3 hospitals to turn away all but the most critical patients

Just yesterday, I experienced my first “technical” barrier to patient care when our chart system prevented us from documenting plan of care. It affected our hospital network (several hospitals) for all OTs and PTs. There was no alternative way to chart. This was nothing compared to the hospitals affected in the article. My prediction, this type of event will occur more frequently. Just recently, a school was shut down for several days due to computer malware or infiltration!

What Is Ransomware?

Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. Ransomware typically spreads through phishing emails or by unknowingly visiting an infected website. Ransomware can be devastating to an individual or an organization.

Prevention

The best way to avoid this at work is to do only work-related things. The most likely vectors of attack are when users visit other websites. Trustworthy websites such as .gov should be safe, but use your best judgment when visiting others. I would definitely not click on a random link on facebook on work computer (if I even used facebook at work). Why? IT could trace it back to you if the entire system goes down, and I would not want that on my shoulders.

E-mail is another possible vector of attack. Look for suspicious phrases in the subject/body of the e-mail, bad actors impersonating others, and most importantly, think twice before clicking on a link in an e-mail. If possible, analyze the URL of the link you are clicking on and look for anything suspicious. For example, if a link only has numbers (IP address) instead of a well-known domain, it should raise red flags and be forwarded to IT for analysis.

Of course, remember to log out when stepping away even if only for a second.

Backups

This is more for IT, but is relevant for the end-user as well. Does the system have nightly backups, for example, that can roll back in case of an attack? This can get tricky with healthcare information, as it relies on up to date information, but it is better to have some information than no information. Backup EMR, if it even exists, should be implemented. As a last resort, consider paper. Some settings still use paper charts, so it may be a good idea to implement a way to transition to paper chart in case of downtime. Yes, it will not have the most up to date information, but is better than nothing.

Education & Drills

Backups can be great, but just like other disaster preparedness (fire drills, earthquake, active shooter), they should be tested. Employees should know what to do (knowledge), but also demonstrate their competency in case the system goes down.

My first week of employment saw a TEN DAY computer system outage. The system was actually only down for about a day, but the remainder of that time was spent validating the data that was restored. (LINK)

I predict that at some point or another in your career, this may be more of a reality in your workplace. And it may not just be a 1 day thing, the system could go down for weeks, months and guess what this affects? Your patient’s wellbeing and even your paycheck!

Regulation???

This subject popped into my head and I am not even sure if I would personally support it. However, there should be some type of accountability or external pressure for hospital systems and their IT to implement and execute measures to prevent, practice, and handle situations that result in network downtime. A prime example of this is the Equifax breach.

The thieves spent 76 days within Equifax’s network before they were detected. According to the report, the hackers stole the data piece by piece from 51 databases so they wouldn’t raise any alarms.

Equifax didn’t know about the attack until July 29, more than two months later, and cut off access to the thieves on July 30. (LINK)

Companies should pay more attention to their IT because it is literally the most important backend that runs their business. This has an effect on the entire population.

OTDUDE
About the Author: Jeff is the lead author and editor of OTDUDE.com, where he covers all things Occupational Therapy.