The recent WannaCry ransomware attack that crippled the United Kingdom’s National Health Service (NHS) showed how more than money and IT security are at risk—patient safety is also compromised by a cyberattack.
Hospitals and doctors’ offices in parts of England had to turn away patients and cancel appointments because their IT systems were infected with ransomware. Electronic health records (EHRs) were not accessible, and entire communities were advised to seek medical care only in emergencies. The same scenario could play out here in the United States.
Ransomware is not the only risk to patient safety. As the use of computerized medical devices continues to grow, hackers may target these devices. And because healthcare is the most frequently attacked form of business, more cyber threats to patient safety are certain to arise. Our nation’s healthcare providers must approach cybersecurity as an organizational risk management and quality-of-care issue. And they must do it now.
After WannaCry, I asked myself: Would physicians and hospital staff know how to respond to protect patient safety if all computer access suddenly vanished? With 79,000 member physicians nationwide, The Doctors Company has access to experts in specialties that might be most affected by a cyber attack: obstetrics, emergency medicine, anesthesiology, and surgery. So I reached out to some of these experts to share their concerns as well as their plans to protect patients. Their insights are a wake-up call to be prepared.
Some physicians have considered the potential danger and prepared a response, which is often a return to paper records when EHR systems go down. But that might not always be easy, or even possible. Paper copies of patient medical records may not always be available, a situation that could jeopardize patient care when clinicians must act without sufficient knowledge of allergies, medications, and past treatment.
This is why Marcus Tower, MD, director of gynecology at Hillcrest Hospital (part of the Cleveland Clinic Health System), always keeps a paper backup of patient records that can be accessed quickly in the event of a computer failure. While he said losing access to computer records would be devastating to patient safety, access to paper backups would enable him to continue seeing patients even if his system was offline. Without a computer system, Dr. Tower would keep notes with time stamps. Diligence with time stamping is particularly important in obstetrics, where so much hinges on exactly when decisions were made and care was provided.
Anesthesiologist Randolph Steadman, MD, MS, at the University of California, Los Angeles, said in case of computer failure, ordering labs, imaging, and other diagnostic tests would be done by paper form and transmitted within the hospital by fax and/or conveyed by phone with paper forms to follow. But that would only be a workaround. Patient care overall would be affected, with registration slowed, he noted. Many clinicians and staff would be challenged to adapt to non-digital processes, as happened in the March 2016 cyberattack on the MedStar Health system, which has 10 hospitals and more than 250 outpatient clinics. When hackers seized control of their computer data, senior staff had to assist their younger counterparts with learning how to use paper messages and recordkeeping.
The ER could be hit hard by a cyberattack, but the physicians and staff there might be best prepared to respond, says Roneet Lev, MD, FACEP, chief of emergency medicine at Scripps Mercy Hospital in San Diego, California, and president of the Independent Emergency Physicians Consortium.
“Emergency departments have all experienced downtime with computer systems,” Dr. Lev said. “At our facility, we call this ‘Code White.’ When we hear ‘Code White’ on the speaker system, we know to get out the white board and the markers, and that things will be slower. It’s annoying and no one likes it, but we’d manage by keeping track of patients the old-fashioned way.”
Even so, a “Code White” still leaves clinicians without a way to refer to any medical records that are stored electronically. Not knowing a patient’s allergies or medical conditions is not optimal, she said, suggesting that all patients should always carry a list of their medications, allergies, and pertinent medical history on paper or on their smartphone.
Workarounds can only accomplish so much, Dr. Lev noted. A cyberattack could affect all computer-related hospital activities such as labs, x-rays, patient tracking, operating room scheduling, access to previous medical records, and treatment recommendations.
“While the emergency department would function using ‘Code White’ procedures, this is not sustainable for long-term operation of a hospital,” she said.
What these experts all seem to agree on is that in the face of an attack, the best way to protect patients is to return to practices that worked before computers.
As Ralph Gambardella, MD, orthopedic surgeon and president of the Kerlan-Jobe Orthopaedic Clinic (affiliated with Cedars-Sinai) in Los Angeles, so aptly stated: “Rather than relying on computers, I still believe that talking to—and communicating directly with—my patients is the best way to impact patient safety.”
The guidelines suggested here are not rules, do not constitute legal advice, and do not ensure a successful outcome. The ultimate decision regarding the appropriateness of any treatment must be made by each healthcare provider considering the circumstances of the individual situation and in accordance with the laws of the jurisdiction in which the care is rendered.