Switching to paper records and using the phone is easy when lives aren’t on the line. But for a hospital experiencing a cyberattack, losing access to the electronic health record (EHR) system quickly turns into a nightmare. Nearly a week after a hospital system was hacked, it was still canceling appointments as it worked to bring the EHR system back online. Staff struggles to keep up.
The Southern Ohio Medical Center (SOMC) notified patients on Thursday November 11 that their appointments were canceled due to an emergency. The ER diverted ambulances to other hospitals as they scrambled to respond to the cyber attack. Later that day the hospital posted on its Facebook page that their systems had been hacked and there would be an “unplanned downtime of clinical systems”.
SOMC has a 248-bed hospital and several affiliated facilities around the Portsmouth, Ohio area, located 100 miles southeast of Cincinnati.
Although ambulances were no longer being diverted by Friday the 12th, as of Wednesday, November 17 it appeared that SOMC was still experiencing EHR downtime and appointments for several locations were cancelled:
- Outpatient medical imaging
- Outpatient cardiac testing
- Sleep lab
- Outpatient rehab in four locations
- Pulmonary function tests
- Anti-arrhythmia clinic
Patient Communications Can be Tricky
All public notices about the security incident have been posted to the SOMC Facebook page, while their own website has no information about it. There have been seven announcements on Facebook over seven days since it happened, and honestly, it’s heartbreaking.
A Facebook post by the hospital on Sunday the 14th shows the stress staff is experiencing as they try to manage patient care and communications:
“Office phone lines are currently extremely busy. We apologize for any inconvenience. We request your patience as we continue to work around the clock to return to normal operations.”
And then a reply from a patient, shows more confusion:
“Patient portal is giving me issues. Is this part of the problem?”
Each announcement includes the marketing tagline “Very Good things are happening here”, and one person noted:
“Might wanna remove the Very Good things are happening here quote just for now it doesn’t go with this message.”
A number of people on Facebook expressed support for the staff and hospital as they work through the problems. As the issue drags on and more is learned though, it will be interesting to see how patients react if they learn their protected health information (PHI) was compromised by the attack.
A Covered Entity’s Facebook Page Creates HIPAA Problems
On another note, as explained in an earlier blog, Facebook and HIPAA. health care providers who allow posts, reviews and recommendations by patients who have not provided a written HIPAA Authorization in advance are violating the Privacy Rule. If the Office for Civil Rights (OCR) ends up investigating this incident, the Facebook page will likely be scrutinized and may be revealed to contain HIPAA violations.
How Deep was the Cyber Attack?
A week after the attack occurred we don’t know the extent of the damage. Was there a ransom demand? Were patient files encrypted or exfiltrated? Have the intruders been locked out for now?
SOMC says it is working with law enforcement to evaluate what happened. Once they learn more they will likely announce it. If a breach occurred, they are obligated to report it to OCR and notify affected patients. All of that is yet to be determined.
Prevention is Much Less Expensive
Breaches are expensive for lots of reasons. The aftermath of the cybersecurity incident at SOMC is still in early stages so the full cost isn’t known.
We do know that a full HIPAA Risk Analysis, including a thorough security risk assessment goes a long way to uncovering vulnerabilities and preventing the worst from happening. It’s required by law, and it saves time and money.
If you want to avoid being the next cybersecurity attack victim, ask The HIPAA E-Tool® for your next steps.