A ransomware attack on a major US hospital network that began three weeks ago is endangering patients’ health as nurses are forced to manually enter prescription information and work without electronic health records, nurses at two hospitals affected by the cyberattack told CNN.
“It’s putting patients’ lives in danger,” said a nurse who works at Ascension Providence Rochester Hospital, a 290-bed facility about 25 miles north of downtown Detroit. “People have too many patients for what is safe. Nurses are taking on five or six patients dealing with all of this paper charting.”
Another nurse, who works who works at a 409-bed Ascension hospital in Birmingham, Alabama, told CNN: “It is frightening how many safety guardrails [have been] out of service without any computers.”
The nurses spoke on the condition of anonymity to protect their jobs.
The cyberattack hit Ascension, a St. Louis-based nonprofit that oversees 140 hospitals across 19 states, on May 8, but the healthcare network is still working to bring its systems back online.
Ransomware attacks that cut off access to electronic health records are a grimly regular occurrence in American life. The health care sector reported 249 ransomware attacks to the FBI last year, more than any other sector, with some cases affecting patient records.
But the Ascension incident is raising concerns about the threat to patient health posed by cybercriminals in a way that numerous other ransomware attacks on US health providers haven’t, according to interviews with nurses and cybersecurity experts.
The two Ascension nurses said in separate interviews that they felt overwhelmed by the abrupt shift to paper records following the cyberattack, underwhelmed by their hospitals’ plans for dealing with the situation and worried that they or their colleagues will make mistakes entering a patient’s vital medical information.
“I don’t have any orders in the computer,” the Rochester, Michigan-based nurse said. “I can’t see what labs are ordered and their results.”
OPEIU Local 40, a union that represents nurses at Ascension Providence Rochester Hospital, distributed an online petition on Friday saying union members were “deeply concerned about the current challenges faced by our healthcare professionals” because of the cyberattack, and urged the hospital to take a series of remediating steps, including limiting the nurse-to-patient ratio.
Mac Walker, Ascension’s director of media relations, did not answer CNN’s questions about the petition or the nurses’ comments on patient safety. Instead, Walker emailed this statement on Wednesday morning.
“Restoring EHR [electronic health records] access has been among the top priorities of our recovery process,” Walker said. “Due to the hard work of our teams over the past several days, we have successfully restored EHR access in our first market and are actively progressing against a plan to restore access across our network on a rolling basis.”
Walker did not respond when asked what Ascension’s “first market” meant.
Ascension, the fourth largest hospital network in the country by some measures, said in a public statement Friday that it has been working “around the clock with industry-leading cybersecurity experts to safely restore operations across our network.”
In the wake of the Ascension hack and another ransomware attack in February that disrupted insurance billing at pharmacies across the US, Biden administration officials say they are preparing to release a set of minimum cybersecurity requirements for US hospitals. But the cybersecurity challenges in the health sector are legion and beyond the scope of any one policy prescription, experts say.
Senior officials from the White House and Department of Health and Human Services plan to meet with cybersecurity executives from health care companies on Wednesday to discuss how to better protect hospitals from hackers, three sources familiar with the meeting told CNN.
In statements to the press, Ascension has said that its staff are “appropriately trained to maintain high quality care during downtime.”
But the nurses interviewed by CNN say that the shift to paper records and manual operations is taking a toll on hospital operations. With computers down, doctors have been writing paper prescriptions for patients that nurses take to a machine to manually enter without a cross-check from the local pharmacy, according to the two nurses.
“They have to put an override in there to get the medication out,” said Dina Carlisle, president of OPEIU Local 40. “There’s no second safety check from the pharmacy.”
It has also taken an exorbitantly long time to get lab results because of the hack, the nurse in Birmingham, Alabama, told CNN. A “stat lab,” or lab work needed to make quick decisions on patient care, that normally takes 30 minutes to an hour to process has taken hours, the nurse said.
Ransomware attacks in the US routinely force hospitals to divert ambulances and cancel appointments. That causes a strain on neighboring hospitals that pick up the slack. But a lack of clear public understanding of how cyberattacks on hospitals directly impact patient care is undercutting the urgency needed to deal with the problem, according to health advocates and cybersecurity experts.
Researchers are increasingly quantifying how lethal ransomware can be.
Roughly 3 in 100 hospitalized Medicare patients will die in the hospital under normal conditions, but during a ransomware attack, that number increases to 4 out of 100 because of the strain on hospital resources, according to scholars at the University of Minnesota School of Public Health, who studied 374 ransomware attacks on health providers.
Part of the problem, experts say, is that some hospitals have failed basic tests of cybersecurity “hygiene,” or sound defensive measures, while many small clinics lack the resources to secure themselves. And, perhaps more than any other sector, health care firms hold an enormous volume of sensitive data that is ripe for targeting and extortion schemes.
The number of sensitive data records held by the health care sector grew by more than 63% last year “far surpassing any other industry and more than five times the global average,” according to a study by security firm Rubrik.
In February, cybercriminals broke into an unsecured computer server used by Change Healthcare, an insurance billing giant that processes about 15 billion health care transactions annually. The hack cut off health care providers from billions of dollars of revenue and snarled service at pharmacies across the US.
Andrew Witty, the CEO of UnitedHealth Group, which owns Change Healthcare, apologized in a recent congressional hearing for the security lapse and said he authorized a $22 million ransom payment to hackers to try to protect patient data. Yet a third of Americans could have had their data stolen in the hack, he said.
“We routinely decline healthcare entities unwilling to address things like unpatched critical vulnerabilities, misconfigurations or uneven application of MFA [multi-factor authentication] — the very things hackers leverage to breach systems. And then we regularly see them breached later,” Sezaneh Seymour, head of regulatory risk and policy at cyber insurance firm Coalition, told CNN. (She said her firm had no specific insights into the Change Healthcare or Ascension ransomware attacks.)
Health care providers also make attractive targets for cyber extortionists because hospitals can ill-afford to be offline for long because of the disruptions it causes to operations.
“When we look at ransomware targeting, it’s: who is the most easily targetable, who can afford little downtime and who has the highest willingness to pay,” Bryan Vorndran, the FBI’s senior most cyber-focused official, said in an interview.
“And where there’s low-downtime environments, you have obviously a willingness to pay more so than in environments where they can afford downtime,” Vorndran told CNN. “I think all of that is relevant not just to the healthcare sector but to some other sectors as well.”
He declined to comment when asked about the Ascension hack.