In April, the MedStar Health system of 10 hospitals and hundreds of physician-affiliated offices around the Maryland and Washington, D.C., area became the latest hospital system targeted by ransomware. Ransomware is a type of virus or malware that blocks access to a computer system until a payment is rendered. The hospital system was reportedly without access to its electronic medical record (EMR) system for days, including restricted access to e-mails, imaging software, and scheduling systems. Many physicians had no access to patient medical records or labs and test results, and most locations resorted to a system of paper charting.
Clearly, losing access to the EMR is debilitating. “Think about it—we couldn’t even print patient armbands,” said a MedStar employee who agreed to discuss the situation with me on the basis of anonymity. “It was a systematic breakdown both for patients and staff, with safety at the forefront,” he said.
Another MedStar nurse told me about the drastically increased wait times in the ER and numerous patient safety issues. “I had a patient who was possibly having a heart attack, but it took hours to get labs results, and I had no way to compare the EKG [electrocardiogram] to any previous EKGs to look for changes,” she said. “The other problem was that [MedStar] kept telling people we were under ‘normal operations,’ so people walked through the door expecting a functioning department.”
Many nurses are inexperienced with paper charting because EMRs have been in use longer than their tenure. “We were boarding patients, no one knew how to paper chart, and the lab was backed up more than six hours for a stat result,” said one nurse.
MedStar is not the first hospital system to be affected by malware: In February, a hospital in California paid $17,000 in bitcoin ransom. Is this the start of a frightening new trend? Hospitals seem like a perfect target because regaining EMR access is time-critical. Systems are very likely to pay up, and quickly, in order to access the hostage information. Patient safety is on the line.
Every hospital employee is familiar with the importance of patient privacy and protected health information because of the HIPAA privacy rule. However, at many hospitals, nurses do not even log into shared workstations—they are all unlocked—and passwords often have lax requirements. In hospital orientation, the focus is on patient privacy, not network security.
What can you do as a nurse to make sure you aren’t contributing to a possible security threat?
1. Be a “discriminating clicker.”
If something seems fishy on your computer, do not click it. Be wary of e-mail attachments specifically, and utilize the “hover-over” feature many programs and browsers use to help verify the legitimacy of the sender or link. Never click a suspicious link, even if it appears to be sent from a friend.
2. Call the help desk if anything strange pops up on your screen.
If a pop-up asks for you to provide log in credentials to a workstation you are already using, be suspicious. Third, immediately report any e-mails you receive from unknown senders. Forward a questionable e-mail to the help desk only if requested, because doing so can help the virus “spread.” Some web sites are able to create a pop-up that asks you to call a certain phone number; do not call these numbers and report this to a help desk.
3. Do not attempt to fix a suspicious problem yourself.
In some cases, turning off a machine altogether can exacerbate a problem or even eliminate potential forensic evidence that could be helpful to law enforcement. When in doubt, check it out with the help desk.
The recent ransomware attack on the D.C. hospital system is unlikely to be the last. Familiarize yourself with the systems information policy at your organization. Even these guidelines will not prevent ransomware, because based on FBI reporting, certain pieces of ransomware can attack application servers directly. However, these tips can help vigilant nurses remain well informed, and can help ensure malware infection attempts through e-mail or browsing are unsuccessful.
Latest posts by Laura Kinsella (see all)
- The Nurse’s Guide to CBD - March 7, 2019
- Navigating Occupational Hazards for the Pregnant Nurse - March 26, 2018
- New Safe Staffing Legislation Introduced to Congress - March 9, 2018