In more than a dozen states, doctors and nurses have relied on paper and handwritten treatment orders to chart and track patients' ailments, without access to detailed medical histories that have long been available only through computerized records.
Patients are facing long waits in emergency rooms and delayed treatment because test results and readings from machines like MRIs are transported via makeshift means that don't allow for fast electronic uploads.
More than two weeks after a cyberattack on Ascension, one of the nation's largest health care systems with nearly 140 hospitals in 19 states and the District of Columbia, thousands of health care workers are relying on manual methods. There is.
The massive attack on May 8 was eerily reminiscent of the hack of Change Healthcare, a division of UnitedHealth Group that manages the nation's largest health care payment system. The assault shut down Change's digital billing and payment channels, leaving hospitals, doctors and pharmacists without a way to communicate with health insurers for weeks. Patients couldn't fill prescriptions and health care providers couldn't get paid for treatment.
While some previous cyberattacks affected single hospitals or smaller health networks, the collapse of Change, which handles a third of all U.S. patient records, highlights the dangers of consolidation when one organization becomes so important to the nation's health care system.
Ascension's systems remain down indefinitely, but doctors and nurses are looking at medical records kept by other health care providers and trying to figure out how to access some of the information about patients' medical histories. Ascension also tells doctors and nurses that they will soon be able to view their existing digital records.
“It's very disruptive for everyone involved,” said Kristin Kittelson, a nurse at Ascension Seton Medical Center in Austin, Texas, and a member of the National Nurses United union.
The Ascension attack, like Change, had widespread effects, forcing some hospitals in states like Indiana and Michigan to repurpose ambulances. Ascension hospitals handle about 3 million emergency room visits and perform nearly 600,000 surgeries a year.
Like Change, Ascension has also been the target of a ransomware attack, and the hospital group says it is cooperating with federal law enforcement. The attack appears to be the work of a group known as “Black Basta” and may be linked to Russian-speaking cybercriminals, according to news reports.
Concerned that hackers could compromise their personal medical information, patients have already begun filing a federal lawsuit against Ascension, accusing the company of not doing enough to protect their data.
Large healthcare organizations have become prime targets for cybercriminals looking to wreak as much havoc as they can on critical parts of the U.S. infrastructure. “This is something we're going to see repeated over and over again,” said Steve Cagle, CEO of healthcare compliance firm Clearwater.
With hospital and clinic networks spread far and wide, large companies still cannot identify where vulnerabilities lie or how to minimize disruption from a serious attack. The industry “wasn't prepared for something like this,” Cagle said.
Ascension continues to treat patients, but the risk of parts of a patient's history being lost is obvious. In interviews, doctors and nurses outlined the threats to patient care: People may not remember what medications they're taking; previous consultations and results of previous procedures and tests may be omitted.
In Austin, Kittelson said, she had to sift through dozens of papers to find out what medications doctors had ordered or find anything about a patient's condition. “I worry about the charts,” she said, noting that patients' conditions and treatments were painstakingly recorded by hand.
And many everyday safety measures are no longer available. Nurses are unable to scan medication and patient wristbands to ensure the correct medication is being given to the correct patient, increasing the likelihood of medication errors. Nurses are also far less confident that doctors are receiving important updates about their patients' conditions.
Lisa Watson, a union nurse at Ascension Hospital in Wichita, Kansas, said, “The big problem is that nurses are being crippled by cyberattacks,'' and their workload has increased significantly. he pointed out.
“This is much more important than the old paper charting,” Watson said. Nurses had to fill out prescriptions and other treatments on separate forms that were sent to different departments. Instead of being notified instantly on a computer, nurses may not see new test results for hours.
Ascension said Tuesday it is “making progress in both restoring operations and reconnecting to its network of partners,” and that some nurses may soon have limited access to their past records. But Ascension has not offered a timeline for restoring full digital access, saying only that “returning to normal operations will take time” in an emailed statement Tuesday night.
Few health care organizations publicly discussed the extent of the damage caused by ransomware attacks across many states and health care sectors. The damage has not yet been fully assessed, and Ascension is focused on continuing operations as much as possible.
Unionized nurses say the cyberattack has exacerbated staffing shortages that have dogged their labor relations with Ascension, which the company denies. Nurses in Wichita recently clashed with hospital management over what they say are too few nurses in the intensive care unit.
“Despite the challenges presented by the recent ransomware attack, patient safety remains our top priority,” Ascension said in an emailed statement. “Our dedicated physicians, nurses and care teams have demonstrated incredible thoughtfulness and resilience, utilizing manual and paper-based systems as their normal systems continue to be disrupted.”
“Our care teams are familiar with the dynamic situation and are appropriately trained to maintain high quality care during downtime,” it added. “Our leadership, physicians, care teams and stakeholders are working to ensure patient care continues with minimal interruption.”
Ascension said it will tell patients if they need to reschedule their appointment or procedure. The organization has not yet determined whether sensitive patient data was compromised and urged the public to refer to its website for the latest information.
The risks to patient care from cyber-attacks are well-documented. Studies have shown that in-hospital mortality increases after an attack, an impact that can be felt in nearby hospitals, and the quality of care may decline in hospitals that are forced to admit additional patients.
An even bigger concern is whether confidential patient information was leaked and who should be held responsible. In the aftermath of the Change attack, doctors are calling on U.S. government health officials to clarify that Change is responsible for warning patients. According to a letter sent out by the American Medical Association and other physician groups earlier this week, the doctors called on the authorities to “publicly state that the investigation and immediate remediation efforts of the breach will be focused on Change Healthcare, and not on the health care providers affected by the Change Healthcare breach.”
These types of ransomware attacks are becoming increasingly common. Cybercriminals, often backed by criminals with ties to foreign countries like Russia and China, are seeing how targeting large healthcare organizations can be both profitable and disruptive. UnitedHealth CEO Andrew Whitty recently told Congress that the company paid $22 million in ransom to cybercriminals.
The Change attack drew even more government attention to the issue. The White House and federal agencies have held several meetings with industry officials, and Congress requested Whitty appear earlier this month to discuss the details of the hack. Many lawmakers pointed to the growing size of health care organizations as a reason for the increasingly fragile delivery of health care services to millions of Americans.
Cybersecurity experts say that if hackers get in, hospitals have little choice but to shut down their systems. Because criminals compromise the entire computer system, “hospitals have no choice but to rely on paper,” said Errol Weiss, chief security officer at the Center for Healthcare Information Sharing and Analysis, who described the center as a virtual neighborhood watch for the industry.
Weiss said it's unrealistic to expect hospitals to have backup systems in place in case of a ransomware or malware attack. “In the current economic climate, that's not possible or feasible,” he said.